Article 1 – General Information
The CREATERRA website collects and processes personal data belonging to its customers and prospects. By personal data, the CREATERRA website means all information by which a natural person may be identified or identifiable, either directly or indirectly.
This refers to one or more pieces of data specific to a person’s physical, physiological, genetic, psychological, economic, cultural or social identity, such as, for example, an online identifier, a name, a postal address, an email address, a telephone number, etc.
However, the CREATERRA website undertakes not to request or retain any so-called “sensitive” data. Data concerning, for example, political opinions, religious and philosophical beliefs, racial or ethnic origin, trade union membership, sexual life or sexual orientation, medical information or biometric data (digital fingerprints and photographs) in accordance with Article 9.1 of the General Data Protection Regulation (hereinafter the “GDPR”).
With the entry info effect of the GDPR, the CREATERRA website has put in place the following code of conduct:
A. DATA CONTROLLER
The CREATERRA website is designated as the “data controller” with regard to its customers’ data, in accordance with Articles 4 and 5 of the GDPR. Its contact details are as follows:
- Rue d’Arlon 6
- L-8399 Windhof
- Courriel : email@example.com
- Tel : +352 451 636 – 1
The data controller’s representative is as follows:
- Département Compliance & Risk Officer
- Hugues Derem
- Courriel : firstname.lastname@example.org
- Tel : +352 45 16 36 411
B. DATA PSEUDONYMISATION
As far as possible and with the exception of official documents requiring useful information, the CREATERRA website has adopted the use of pseudonyms to manage its customers in the form of a single ID used mainly in its commercial management and billing systems.
These systems have password access, are secure and encrypted as recommended in best practices and meet the requirements of Articles 4 and 5 of the GDPR.
C. LAWFULNESS, FAIRNESS AND TRANSPARENCY
Subscription to a sale, service or contract is subject to collection by the CREATERRA website of personal data from its customers and prospects, the processing of which is necessary for the execution of the business relationship or legal obligations.
This data may be processed, saved and archived by the CREATERRA website, or even communicated to third parties, in the context of a legitimate interest pursued by the CREATERRA website or by the third party to which the data are provided, in particular for the management of customers’ files, the management of contracts, customer services, the management of the commercial relationship, the detection, prevention and fight against fraud, statistical studies, the management of litigation and debt collection, and payment for services.
These terms and conditions are deemed lawful, fair and transparent and correspond to the requirements set out in Article 5 of the GDPR. The lawfulness of the processing is recognised as such if it corresponds to at least one of the conditions set out in Article 6.1 of the GDPR; if none of these conditions are met, the CREATERRA website undertakes not to collect data, with the exception of data that may be used in the context of commercial prospecting (see point “d. Limitation of Purposes”).
D. LIMITATION OF PURPOSES
Personal data communicated by customers and/or prospects may be used by the CREATERRA website for direct marketing purposes (commercial actions, personalised advertising, etc.) with a view to informing customers and/or prospects about their activities, products and services, unless the data subject objects to the processing of their personal data for prospecting purposes, in accordance with the provisions of Article 21 of the GDPR.
Incidentally, the CREATERRA website does not make automated individual decisions, including profiling (i.e. any form of automated processing of personal data consisting in using such data as defined in article 4.4 of the GDPR).
E. DATA MINIMISATION
The CREATERRA website only collects from its customers and prospects the information needed to establish a sale, service or contract. In particular, it does not collect any personal data that would not be useful in the context of its services and will not collect any data considered sensitive or defined as such in point “A. General Information” or in Article 9 of the GDPR.
The CREATERRA website will therefore collect personal data that is adequate, relevant and limited to what is necessary for the purposes for which they are processed (principle of data minimisation) in accordance with Article 5 of the GDPR.
The CREATERRA website processes personal data and ensures they are accurate and, where necessary, kept up to date. It also provides its customers with specific forms available on its website allowing them to communicate directly with the data controller or their representative in order to allow the data to be viewed, modified or erased so that they are always accurate, in accordance with the principle of accuracy expressed in Article 5 of the GDPR.
G. STORAGE LIMITATION
In principle, the CREATERRA website stores the personal information of its customers throughout the duration of the sale, service or contract entered with them or, failing that, for the legal storage period of the documents as defined in the CNPD’s storage period guidelines, compatible with the principle of data storage limitation described in Article 5 of the GDPR.
It also stores the personal data of its prospects for three years before cancelling them if no commercial transaction has been carried out during such time.
H. INTEGRITY AND CONFIDENTIALITY
The CREATERRA website undertakes to put in place solutions to ensure the appropriate security of personal data, including against unauthorised or unlawful processing and against accidental loss, destruction or damage by means of technical or organisational measures.
These solutions are in line with the recommendations described in Article 5 of the GDPR concerning the integrity and confidentiality of personal data.
I. RESPONSIBILITY OF THE CREATERRA WEBSITE
As data controller, the site CREATERRA undertakes to implement all the points mentioned in this Code of Conduct and to be able to demonstrate to the competent supervisory authorities that they are respected and monitored over time, in accordance with the description given in Article 5 of the GDPR.
To this end, the CREATERRA website has set up a processing register in which it records all the processing performed in the scope of the GDPR.
Details of the CREATERRA website’s personal data processing policy is also available on its website at https://www.createrra.com/legal-notice?lang=en
Article 2 – Service Agreements
Under the GDPR, where data are outsourced, customers are required to enter into an agreement with the CREATERRA website containing, in particular, mandatory information relating to the planned data processing, such as the duration, nature and purpose of the processing, the type and sensitivity of the data provided, the categories of data subjects concerned, access authorisation, security requirements and restrictions on transfers outside the EU, etc., in accordance with Article 28 paragraph 3 of the GDPR.
Article 3 – Obligations of Customers
Customers and/or prospects alone determine the purposes and means of processing of the personal data for which they are responsible. Where customers and/or prospects intend to outsource the processing of personal data, it is their responsibility to select a data processor offering sufficient guarantees regarding the implementation of the required technical and organisational measures, in accordance with Article 28 paragraph 1 of the GDPR.
Where personal data for which customers and/or prospects are the data controllers are outsourced to the CREATERRA website for processing, the customers and/or prospects represent that they have complied with all legal obligations regarding the protection of personal data, and in particular that they have:
- Ensured that where all or part of the personal data whose processing is outsourced to the CREATERRA website have already been outsourced to a third party, that said third party processor offered sufficient guarantees regarding the implementation of the technical and organisational measures required in accordance with Article 28, paragraph 1, of the GDPR;
- Provided their customers with information relating, in particular, to the data storage period, the right to access, rectify and erase data, and the right to restrict or object to the processing of their personal data, in accordance with the provisions of Articles 13 to 21 of the GDPR;
- Implemented an internal policy and appropriate technical and organisational measures to demonstrate to the supervisory authorities at all times that the processing of the personal data complies with the requirements of Articles 24 to 26 of the GDPR;
If the service ordered by the CREATERRA website’s customers requires the written consent of their customers for the processing of their sensitive personal data as referred to in Article 9.1 of the GDPR, CREATERRA website customers undertake to obtain the written consent of their customers before transmitting such data to the CREATERRA website in accordance with Article 7 of the GDPR, and guarantees same.
Customers will compensate the CREATERRA website for any harm it may suffer as a result of their failure to comply with their personal data protection obligations.
Article 4 – Processing of Personal Data by an Outsourcer of the CREATERRA Website
Where the CREATERRA website outsources a service requiring the processing of personal data on behalf of its customers, the CREATERRA website requests the latter’s prior written authorisation, as indicated in Article 2 – Service Agreements, before hiring or replacing service providers, in accordance with Article 28(2) of the GDPR.
Article 5 – Processing of Personal Data by CREATERRA as an Outsourcer
Where the service ordered by the CREATERRA website’s customers requires that certain personal data of their respective customers be outsourced by the CREATERRA website, CREATERRA website customers are required to enter into a contract with the CREATERRA website as indicated in Article 2 – Service Agreements.
Article 6 – Transfers of Personal Data to Third Countries or International Organisations
Personal data collected by the CREATERRA website are not transferred to third countries or international organisations by default. The only case in which personal data may be transferred to third countries or international organisations is in the event of outsourcing, for which the CREATERRA website establishes service agreement with its data processors proving de facto that they provide an adequate level of protection as required by Articles 44 to 50 of the GDPR (see also Articles 2, 4 and 5 of this section).
Article 7 – Personal Data Not Collected from the Data Subject
The CREATERRA website may use public and/or private data sources for marketing purposes. In the context of this commercial prospecting, it undertakes to inform the prospect of the identity of the data controller and of his/her rights, as well as the manner in which such rights may be exercised. It may also indicate the data source and data storage period (see “G. Storage Limitation”).