Privacy Policy

INTRODUCTION

This policy outlines the undertakings and measures implemented by the Alter Solutions Group in the processing of data transmitted or collected to ensure ongoing compliance with the texts applicable to data protection (French Law no. 78-17 of 6 January 1978 as amended and the European General Data Protection Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, these two texts being hereinafter referred to as the "Regulation").

The purpose of this Policy is to provide clear information on the way in which your personal data is collected and used by the Alter Solutions Group.

 

DEFINITIONS

Processing of personal data: means any organised set of operations carried out on personal data (collection, structuring, storage, modification, communication, etc.).

Personal data: means any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an "identifiable natural person" is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Sensitive data: means all data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data, biometric data, data concerning the health of a natural person or data concerning a natural person’s sex life are all classified as sensitive data.

Processing of sensitive data is strictly prohibited, except in circumstances where:

  • The data subject concerned has given explicit consent;
  • The processing forms a necessary part of the execution of the contract with the data subject.

Data subject: means any identifiable natural person who can be identified through the processing of personal data.

Data controller: means the natural or legal person who determines how the processing of personal data shall be undertaken, including the purposes the data will be used for as well as the means of processing to be used.

Subcontractor: any natural person who carries out data processing operations on behalf of the Data controller. By virtue of their agreement with the Data controller they are entrusted with certain tasks and required to provide technical and organisational guarantees relating to their capacity to process the personal data entrusted to them in compliance with the prevailing regulations.

Recipient: means any natural person who receives an authorised communication of personal data.

Cookie: refers to a set of data or collection of data stored on a computer (personal computer or other device connected to the Internet) necessary for the operation of a particular website.

Personal data breach: means a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

 

WHO ARE WE?

The Alter Solutions Group is a technology consulting group that provides services and expertise to support our customers in the implementation of their technical projects dedicated to software engineering and cybersecurity.

Our ambition is guided by three strategic development axes:

  • Increase our market position as technical experts;
  • Expand our business to include international markets;
  • Develop our employer brand in order to attract the best people.

 

SCOPE

This general data protection policy applies to the following categories:

  • Professionals, partners within the group
  • Employees of the group
  • Prospective applicants wishing to join the group
  • Natural persons who are clients or prospects of the group
  • Internet users browsing alter-solutions.com
  • All computer and telecommunication resources (in whatever form, tangible or intangible) necessary for the creation, processing, exchange and storage of personal data.

 

NATURE OF THE DATA

In accordance with the data minimisation principle, only personal data that is strictly necessary shall be collected and processed.

The information that may be collected includes the following:

  • The marital status of the Data Subject:
    • Last name / Maiden name
    • First names
    • Nationality
    • Civil status data (Gender, First and Last name of spouse, Family members, etc.)
    • Address, postal code and town of residence
    • Personal and business telephone number(s)
    • Personal and professional e-mail(s)

 

  • The professional life of the Data Subject:
    • Position, Grade, Salary
    • Working hours: clock in and out times
    • Photographs, videos
    • Addresses, site plans and technical data relating to buildings or installations (subject to intellectual property and contractual rights)

 

  • The connection data of the Data Subject:
    • IP address of the terminal or equipment connected to the Internet
    • Data specific to the technical equipment used to access the services provided by the companies within the group (PC, smartphone, web browser, etc.)
    • Cookies
    • Browser history

 

LIST OF DOCUMENTS

The documents listed below contain personal data collected or transmitted in the form of PDF attachments:

  • Identity documents (ID cards, passports, residence permits, etc.)
  • Electrical accreditations, driving licenses, CACES (Certificate of Aptitude in Safe Driving)
  • Medical appointments
  • Data provided as part of the Curriculum Vitae, and contained in the attached letters
  • Diplomas, educational qualifications
  • Proof of address
  • Photographic identification
  • Bank statement
  • Recognition of disabled worker status, disability card
  • Partial/Permanent Disability

 

PURPOSE OF THE PROCESSING

DEPARTMENT CONCERNED

PROCESSING

PURPOSE

PROCUREMENT

Processing and administration relating to suppliers/service providers

  • Management and follow-up of orders  
  • Formalisation of contracts 
  • Monitoring of supplier/service provider invoicing

ACCOUNTING / TAXATION

 

Management of principal and subsidiary accounts and invoicing

  • Posting of entries to the principal and subsidiary accounts and justification of company and subsidiary accounts.
  • Preparation and issuance of invoices to clients (B2B/B2C)
  • Settlement of supplier/service provider invoices

 

COMMUNICATIONS

Internal communication activities

  • Creation of mailing lists
  • Dissemination of internal memos and other related notices (IRP minutes, etc.)
  • Dissemination of news relating to the company
  • Management of corporate social media: enrolment onto employee networks; administration of discussion groups; processing of user requests; provision of content; statistical analysis of traffic.
  • Organisation of employee events (internal competitions; Christmas for Children event; staff party; etc.)
  • Organisation of events for third parties: management and follow-up of bookings; webinars etc.

External communication activities

  • External communication of non-sales related information (news; updates)
  • External social network promotions and marketing
  • Management of the company website and statistical analysis of traffic

Management of copyright and permissions relating to images

  • Compilation and storage of all image related copyright and signed use permissions

 

ISD

IT asset management

  • Management and monitoring of allocation of individual computer equipment
  • Creation of email addresses
  • Allocation of laptop computers
  • Setting-up of direct telephone lines for employees

 

Management of data hosting

  • Hosting and provision of company data for the benefit of the employees
  • Safeguarding of company data by scheduled back-ups

Management of computer directories and definition of IS access rights

  • Creation/deletion of user accounts
  • Allocation/revocation of access rights and permissions to applications and networks

Administration of Guest WiFi

  • Provision of a WiFi network within private premises for use by visitors
  • User authentication
  • Retention of connection and access logs to satisfy statutory obligations

 

LEGAL

Administration of all legal affairs on behalf of the company

  • Organisation of general meetings and meetings of the boards of directors
  • Maintenance of a register of partners and other statutory registers and records
  • Administration of financial benefits due to partners in the company

Administration of delegated authority and signatories within the company

  • Identification of necessary powers and authority
  • Drafting, execution and recording of delegated authority

Administration of contractual relations with corporate partners

  • Formalisation of contracts with clients, partners and suppliers
  • Preparation, implementation and monitoring of legal proceedings before the relevant competent jurisdictions
  • Management and monitoring of amicable settlements

Management of unpaid invoices

  • Management and monitoring of unpaid invoices: including out-of-court procedures for the collection of unpaid invoices (identification of debtors; issuance of reminders; etc.)
  • Management of accounting reserves
  • Preparation of various statistics and reports for regulatory, accounting, tax and operational purposes

Management of GDPR requests from Data Subjects

Monitoring and management of individual requests made in connection with the exercise of their GDPR rights:
  • Preparation of statistical data
  • Internal processing of data breaches
  • Identification of data subjects affected by the data breach
  • Notification of breaches to the appropriate EU member Data Protection Authority (DPA) and to the affected persons who are victims of the data breach, if applicable

 

GENERAL SERVICES

 

Video surveillance

  • Management of the video surveillance system within private premises to ensure the security of people and property; excluding any monitoring of employee activities
  • Handling of requests to view video surveillance images and any related image extraction
  • Possible future use of the data to establish and prosecute criminal offences (management of litigation)

Management of fixed lines and mobile telephones

  • Management and allocation of a business telephone number

 

MARKETING / PROSPECTING

Direct marketing operations

  • Organisation and management of direct marketing activities
  • Implementation of monitoring and analysis of operations in order to determine their relevance and performance
  • Follow-up activities relating to marketing objections/withdrawal of consent to direct marketing
  • B2B and B2C marketing and distance selling operations conducted by telephone; e-mail; SMS
  • Follow-up relating to services provided by the company/clients thanks to the company's marketing operations

Operation of the website

  • Creation of user accounts
  • Communication operations directed to web users (Newsletter)

 

HUMAN RESOURCES

Management of recruitment operations

  • Organisation and management of recruitment operations: intake, review and processing of applications
  • Organisation of job interviews; in person and/or remotely (by phone or video)
  • Collection of information relating to the identity and contact information of references; provided by the candidate; to the extent necessary to assess the candidate's skills accordingly

Direct contact with potential candidates

  • Conduct profile searches on social networks
  • Direct contact operations with potential candidates on social networks and/or by recommendation

Offer of employment

  • Collection of data necessary to establish the offer of employment
  • Establishment of the employment contract
  • Retrieval of administrative documents as part of the formation of the administrative personnel file*
  • Provision of documents (internal regulations; GDPR notices; various forms including the one for affiliation to the mutual insurance company; etc.)

Administrative management of personnel

  • Establishment, monitoring and management of the personnel file for each employee during the duration of the employment contract; maintained in accordance with the legal and regulatory provisions; as well as the statutory, collective bargaining or contractual provisions governing the persons concerned
  • Organisation and monitoring of medical appointments
  • Monitoring of fitness for work (only fit/unfit)
  • Implementation of the occupational physician's recommendations and maintenance of the employees' medical files within the HRD file
  • Organisation of medical appointments
  • Maintenance and updating of personnel register
  • Monitoring the performance of employees in the performance of their respective duties
  • Completion of corresponding declarations to the tax authorities and to social security, retirement and insurance organisations 
  • Completion of corresponding declarations to the tax authorities and to social security, retirement and insurance organisations 
  • Maintenance of employee salary change records
  • Scheduling of annual review interviews
  • Preparation; execution and monitoring of disciplinary measures taken against an employee
  • Preparation, execution and monitoring of employment litigation
  • Management of employee terminations

Management of leave, work stoppages / accidents, working time

  • Management and monitoring of leave; including exceptional leave/absence (according to the statutory, collective bargaining or contractual provisions governing the persons concerned)
  • Management of sick leave and work/travel accidents
  • Declarations to the competent bodies (legal obligation to notify)
  • Working time monitoring (statements of attendance; executives on fixed-term contracts; etc.)

Management of internal directories and organisational charts

  • Provision of an internal directory and organisational chart
  • Management of employee objections to the distribution of their photograph

Career and mobility management

  • Management of internal competencies (skills, career path)
  • Monitoring and management of mobility requests
  • Transportation/accommodation booking procedures/resources for business travel
  • Management of business visa applications
  • Monitoring and organisation of training requests

Expense reports

  • Approval of expense reports prior to reimbursement (as part of payroll processing)
  • Undertaking checks to verify compliance with the expenditure commitment procedure (legitimate interest of the company to prevent abuse and fraud)

Payroll management

  • Calculation and payment of remuneration and related items
  • Transfer orders for payment
  • Transmission of payroll entries to the accounting department
  • Creation and provision of electronic pay slips
  • Implementation of the company's remuneration policy
  • Collection and analysis of individual performance data
  • Calculation of the amount of variable remuneration
  • Entry into the payroll software/sent to the payroll manager
  • Retention of pay slips in accordance with applicable statutory and regulatory provisions

Management of the employee savings scheme

  • Calculation and payment of shares as part of profit-sharing
  • Management of employees' decisions (investment in the company savings plan or immediate payment)
  • Subsequent use of the data within the framework of payroll management for the calculation of CSG (Contributions to the General Social Security Scheme) and CRDS (Contributions to the Social Security Deficit)

Other benefits

  • Provision of meal card supplied every month
  • Management and allocation of gift and holiday vouchers to employees

 

Data is collected for specific, explicit and legitimate purposes. All processing is justified on at least one of the following bases:

  • The processing of personal data is based on the consent of the Data Subject
  • The processing is necessary for the performance of a contract to which the Data Subject is party
  • The processing is necessary to comply with one or more statutory obligations to which we, the company are subject
  • The processing is necessary for the legitimate interests of the Alter Solutions Group and does not infringe the rights of the Data Subjects

 

ACCOUNTABILITY OF THE DIFFERENT STAKEHOLDERS

The data processors shall only collect and process the personal data that is voluntarily transmitted to them, or provided by the various software or hardware resources (ERP, Time & Attendance, Internet routers, etc.).

The Alter Solutions Group has put in place an organisation that relies on the skills and accountability of those involved in all operations related to the processing of personal data. We raise awareness and take steps to implement dedicated data protection training to increase everyone's awareness and knowledge of the subject.

 

TRANSPARENCY

In accordance with the above, and unless it is necessary to communicate personal data to companies whose intervention as third party service providers on behalf and under the control of the responsible party is required for the aforementioned purposes, the Group shall not pass on any personal data collected nor sell, license or otherwise exchange the data with any organisation or entity, unless the corresponding data subjects have been duly informed thereof in advance and have provided their explicit consent, unless required by law, for example in the context of legal proceedings.

When subcontracting, we take all reasonable steps to ensure that the subcontractors provide sufficient guarantees regarding the protection of personal data; we ensure that appropriate technical and organisational measures have been implemented in order to guarantee the protection of personal data and the rights of the Data Subject.

We structure the relationship with the subcontractor through contractual GDPR liability clauses as part of the proper execution of the terms of the contract.

 

LIMITING DATA SHARING / EXCHANGES

Data shall be kept in a form that allows the identification of the Data Subjects for no longer than is necessary for the purposes for which they are processed.

The retention period shall be defined in a way that is appropriate, precise and proportional to the purpose of each processing operation.

 

COOKIES

For more information about cookies, their categorisation and detail, please refer to our Cookie Policy.

 

SAFETY

Personal data protection measures are founded on the IS security principles described in the IT charter. The Alter Solutions Group have implemented a set of security measures proportionate to the risks relating to data loss, data disclosure and illegitimate access to data. These measures shall ensure the confidentiality, integrity and availability of personal data processed by the Alter Solutions Group.

 

PERSONAL DATA BREACHES

 

In the event of a personal data breach relating to processing operations that represents a high risk to data subjects and falls within the scope of a privacy impact assessment, the Alter Solutions Group undertakes to:

  • Notify the supervisory authority within a period of no more than 72 hours from the discovery of the breach;
  • Identify and inform those affected by the breach, as appropriate.

 

DIREITOS DAS PARTES

Alter Solutions Group shall ensure that data subjects have the ability to exercise their rights in connection with their personal data.

Right of access

This right is intended to ensure that the Data Subject has access to all data and details of the processing that concerns them in order to determine the information held by Alter Solutions Group or to verify the accuracy of the same.

Right to rectification

This right allows a Data Subject to request the correction of any inaccurate personal data.

Right to erasure

This right allows a Data Subject to request the erasure of personal data held by Alter Solutions Group, where applicable.

Right to restriction of processing

This right allows a Data Subject to request that Alter Solutions Group restrict the processing of personal data processed by the company.

Right to data portability

This right allows a Data Subject to retrieve personal data in order to store or transmit said data from one information system to another.

Right to object

This right allows a Data Subject to object to the processing of any personal data.

Right not to be subject to an automated processing decision

The Data Subject shall have the right not to be subject to a decision which may include a measure involving the assessment of certain personal aspects relating to them which is taken solely on the basis of automated processing and which produces legal effects concerning them or which similarly significantly affects them, including profiling.

 

The above rights can be exercised at any time:

  • Or by sending an e-mail to the following address: privacy@alter-solutions.com
  • Or by writing to: ALTER SOLUTIONS - Data Protection Officer (DPO) – 6 Avenue du Général de Gaulle – 78 000 Versailles - FRANCE
  • You also have the right to file a complaint with the competent Data Protection Authority (DPA) of any member state of the European Union and to define post-mortem guidelines. For a complete list of these authorities and their direct contacts, please access this website: https://edpb.europa.eu/about-edpb/about-edpb/members_pt

  • Regarding any processing of data undertaken to ensure appropriate monitoring of the risks of money laundering and terrorist financing, pursuant to Article L.561-45 of the French Monetary and Financial Code, your requests for access to these files should be addressed to the Commission Nationale Informatique et Libertés – 3 place de Fontenoy, 75007 Paris.

  • In terms of direct marketing, you may choose at any time not to receive direct marketing by using the unsubscribe link in the message.