For GRYZZLY, the preservation of Users’ personal data is important.
GRYZZLY undertakes to implement appropriate measures for the protection, confidentiality and security of Users’ personal data, in accordance with the regulations in force in Europe, as laid down in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Regulation on data protection), and in particular the rules of national law implementing that Regulation.
The purpose of this charter (the “Charter”) is to inform and enlighten Users on the purposes of the collection and processing of their personal data by GRYZZLY, as data controller.
Users are therefore invited to read the Charter very carefully, to print it and to keep a copy.
By using the Solution, the User accepts all the provisions included in the Charter relating to the collection and processing of his/her data, for the purposes set out below.
Users are required to provide their personal data in digital format when using the Solution.
1. Categories of personal data collected
No sensitive data is collected or processed by GRYZZLY.
The User data that GRYZZLY may collect and process may consist (without limitation) of the following data:
a) Identity: civil name, surname, first names, company name, address, telephone number (fixed and/or mobile), fax number, e-mail addresses, internal processing code allowing identification of the customer (this internal processing code cannot be the registration number in the national identification register of natural persons (social security number), nor the bank card number, nor the number of an identity document). A copy of an identity document may be kept to prove the exercise of a right of access, rectification or opposition or to meet a legal obligation;
b) data relating to means of payment: billing e-mail address, billing address, postal or bank statement, cheque number, credit card number, expiry date of the credit card, visual cryptogram (the latter not being kept, in accordance with the regulations in force);
c) data relating to the transaction such as the transaction number, details of the purchase, subscription, good or service purchased;
d)family, economic and financial situation: marital life, number of persons in the household, number and age of the child(ren) at home, profession, field of activity, socio-professional category, presence of domestic animals ;
e) data relating to the follow-up of the commercial relationship: requests for documentation, test requests, product purchased, service or subscription subscribed, quantity, amount, frequency, delivery address, history of purchases and services, return of products, origin of the sale (seller, representative, partner, affiliate) or order, correspondence with the customer and after-sales service, exchanges and comments of customers and prospects, person(s) in charge of the customer relationship;
f)payment details of invoices: payment terms, discounts granted, received, balances and unpaid not resulting in the exclusion of the person from a right, benefit or contract subject to authorisation by the Commission as provided for by Article 25-I-4° of the law of 6 January 1978 as amended ;
g) the data needed to carry out loyalty, prospecting, research, polling, product testing and promotion measures, the selection of persons being possible only on the basis of analysis of the data listed above ;
h) data relating to the organisation and processing of contests, lotteries and any promotional operations, such as the date of participation, the answers given to the contests and the nature of the prizes offered;
i) data relating to the contributions of persons submitting opinions on products, services or content, including their pseudonym ;
j) data collected through the actions referred to in Article 32-II of the Act of 6 January 1978 as amended.
2. Principles applicable to the collection and processing of personal data
Legal basis for the collection and processing of personal data
Users’ personal data are processed by GRYZZLY in the cases authorised by the regulations in force and under the following conditions:
- Obtaining free, specific, informed and unequivocal consent from the User (or his legal representative in case of minority or incapacity) to the processing of their personal data;
- Collection of personal data necessary for the execution of the User’s request;
- Compliance with legal and/or regulatory obligations imposed on GRYZZLY (such as the fight against fraud and corruption);
- Protection of GRYZZLY’s legitimate interests (such as protecting the security of its computer network).
Users’ browsing information applicable to the collection and processing of personal data
When using the Solution or certain related services, certain data are collected automatically such as the IP address, the reference of the navigation software used, the navigation data (date, time, content consulted, search terms used, etc.), the references of the operating system.
The data collected during browsing are deleted at the end of the browsing session on the Solution, by the User or, if applicable, within a maximum period of 13 months from their collection.
Purposes of the collection and processing of personal data
Users can use the Solution without it being necessary to communicate personal data to GRYZZLY.
GRYZZLY collects and processes User data for the following purposes :
to execute the mission entrusted by the User, customer of GRYZZLY, within the framework of the execution of the offer,
to use and improve the Solution and/or GRYZZLY’s commercial offers, in particular in the context of surveys, surveys and other solicitations,
for billing and communication needs to the Payment Intermediary (as defined and identified in the Solution’s terms and conditions of use), for payment of Subscriptions,
for the purpose of sending and communicating GRYZZLY newsletters, informative or commercial e-mail alerts and/or news to Users wishing to receive them,
to answer enquiries (online contact forms),
to respond to job applications (personal data collected: name(s), first name(s), e-mail, telephone number, CV, cover letters if attached,
to disseminate via the Solution and/or any social and communication networks and/or any other GRYZZLY supports and materials, whatever the form or nature, existing or to come, the comments and/or opinions of Users on the said Solution and/or on GRYZZLY,
for any measure or project that is more broadly in line with an objective of interest to Users or to improve the relationship and the customer experience,
to meet regulatory requirements in force or being adopted.
Retention period for personal data
The period for which Users’ personal data are kept depends on the purpose concerned.
In this context, Users’ personal data are kept for the time necessary to complete their request.
In the absence of any realization, personal data are deleted within the deadlines recommended by the Commission Nationale Informatique et Libertés (CNIL), after a period of three years from their collection on the Solution, subject to :
- the legal possibilities and obligations regarding archiving,
- obligations to keep certain data, for evidential purposes, and/or to make them anonymous.
The personal data of the User, customer of GRYZZLY, collected and processed, for the purposes of executing offers, are retained for the time necessary to manage the contractual relationship.
By way of derogation, the personal data required for the establishment of proof of a right or a contract are archived in accordance with legal provisions (5 or 10 years after the end of the commercial relationship as the case may be).
3. Recipients of personal data collected
The personal information collected is exclusively intended for GRYZZLY and will not be the subject of transfer or exchange to third parties, other than for the purposes referred to in article 2 above, for the GRYZZLY User customer. As such, the billing data of the GRYZZLY User will be transmitted to the Payment Intermediary, for the payment of Subscriptions subscribed or renewed by the latter.
Only the authorised personnel of the group and GRYZZLY service providers may have access to the personal data collected and be required to process them, without prejudice to their possible transmission to the bodies in charge of a control or inspection mission in accordance with the legislation and/or regulations in force or for the purposes of responding to a judicial or administrative decision.
Subject to their complete anonymization, GRYZZLY is entitled, in compliance with the text provisions in force, to use Users’ personal data, in particular for statistical purposes, measurement, transfer and/or exchange to third parties.
4. Transfer of personal data
The personal data of the Users collected are hosted in France.
In the context of its recourse to affiliates or service providers located outside the European Union, GRYZZLY undertakes to verify that appropriate measures have been put in place to ensure that Users’ personal data enjoy an adequate level of protection.
5. Protection measures put in place by GRYZZLY
GRYZZLY collects and processes Users’ personal data in compliance with current regulations.
When disclosure of a User’s personal data to third parties is necessary and authorized, GRYZZLY ensures that these third parties guarantee to said personal data the same level of protection as that put in place by GRYZZLY. In this context, GRYZZLY asks each of its contractual partners for confirmation of compliance with the applicable regulations.
GRYZZLY puts in place technical and organisational measures to ensure that the storage of Users’ personal data is secure for the duration necessary for the exercise of the purposes pursued.
GRYZZLY draws Users’ attention to the fact that no transmission or storage technology is totally infallible.
Also, in the event of a proven breach of Users’ personal data, likely to create a high risk for Users’ rights and freedoms, GRYZZLY will inform the competent supervisory authority of such breach in accordance with the procedures provided for by current regulations.
Users must exercise caution to prevent any unauthorized access to their personal data and in particular to their computer and digital terminals (computer, smartphone, tablet in particular).
6. Rights of Users
In accordance with current regulations, Users have the following rights, subject to legal and regulatory limitations:
Right to information on the collection and processing of personal data
GRYZZLY undertakes to make its best efforts to ensure that the information communicated to Users is accessible, accurate and transparent on the conditions of collection and processing of their personal data.
Right of access / right to delete (“right to forget”) / right of rectification / right of opposition / right to limit processing
Any User may, at any time, access personal information concerning him held by GRYZZLY. He has the right to receive a copy in electronic form (for any additional copy, GRYZZLY will be entitled to charge a fee based on the administrative costs incurred).
Each User has the right to request the deletion and/or correction of his personal data when these are erroneous or obsolete. GRYZZLY may retain certain personal data when required by law or for legitimate reasons.
Users may object at any time for legitimate reasons:
- he use of their personal data for direct marketing purposes, or
- the re-use of their personal data for processing other than those listed in Article 2 above, except in the event of GRYZZLY fulfilling one of its legal and/or regulatory obligations.
Users have the right to request that the processing of their personal data be limited to what is strictly necessary. This right is applicable only:
- if the User concerned disputes the accuracy of his personal data;
- if the User concerned justifies that the processing of his personal data is unlawful and requests a limitation of their use rather than a deletion;
- if GRYZZLY no longer needs the personal data of the User concerned and that these are still necessary for the User to establish, exercise or defend legal rights;
- if the User concerned objects to the processing of his personal data based on the legitimate interest of the controller, justifying an overriding legitimate interest.
Right of complaint to a supervisory authority
Any User, who considers that the efforts made by GRYZZLY to preserve the protection of his personal data do not guarantee the respect of their rights, has the possibility to lodge a complaint with the competent supervisory authority (CNIL or any other authority mentioned on the list available from the European Commission).
Right to the portability of their personal data
Users have the right to the portability of their personal data, authorising them to obtain from GRYZZLY the said personal data concerning them, in a structured, commonly used and legible format.
Users may in this context request that their personal data be transmitted to another controller.
Right to decide the fate of personal data after death
Users also have the right to organize the fate of their personal data after their death by adopting general or specific guidelines that GRYZZLY undertakes to respect.
In the absence of such directives, GRYZZLY recognizes to the heirs the possibility of exercising certain rights, in particular the right of access if it is necessary for the settlement of the succession of the deceased and the right of opposition.
Exercise by Users of their rights
To better respond to Users’ requests, GRYZZLY has spontaneously appointed a personal data protection officer (“DPO”).
Also, in order to exercise their rights, any User may contact the designated DPO, according to the following coordinates: GRYZZLY 90 cours Lafayette 69003 LYON (FRANCE) firstname.lastname@example.org
To help them in the exercise of their rights, GRYZZLY indicates to Users that the CNIL has established and made available to them, on its website accessible at the address www.cnil.fr, models of letters.
Before processing the Users’ request(s), GRYZZLY will be entitled to verify their identity, asking them for any useful proof.
The DPO will respond to each User’s request as soon as possible and in any event one (1) month from the User’s justification of his identity.
In the event of complexity of the requests and/or their number, this period may be extended by two (2) additional months, GRYZZLY undertaking in any event to inform the User concerned of the extension and the reasons for the postponement.
7. Amendment of the Charter
GRYZZLY reserves the right to make changes to the Charter at any time in order to comply with legislative and regulatory changes and/or to improve its personal data processing and protection policy.
In case of modification, a new version will be updated and put online with the date of Last update.
Any new version of the Charter must be subject to prior acceptance by Users.