Personal data privacy policy

  • 01/09/2022 updated

Onepoint, a company incorporated under French law, registered with the Paris Trade Register under number 440 697 712 and domiciled at 29 rue des Sablons, 75116 Paris in France (“onepoint”, “we”, “our”) respects the privacy of any person providing personal data.

Aware of the importance of ensuring the confidentiality of personal data, onepoint undertakes, within the framework of its activities and in accordance with the legislation in force in France and in Europe (Regulation 2016/679 of the European Parliament and the Council of 27 April 2016), to ensure the protection, confidentiality and security of personal data, as well as the respect for privacy.

This external Privacy Policy (“Privacy Policy”) describes how onepoint, its subcontractors and potential partners collect and process the personal data of its clients, suppliers, website visitors, visitors to its premises, applicants, partners and more generally any person whose data it may possess, in accordance with the General Personal Data Protection Regulation (“GDPR”).

It also describes the legal basis applicable to personal data processing, the people we share such data with, and the way in which it is stored.

Onepoint is the Data Controller. This means that we decide how we retain and use your personal data. Under the GDPR, we are required to provide you with all information contained in the Privacy Policy.

It is important that you read this Privacy Policy, as well as any other information that we may provide on specific occasions when we collect or process your personal data, so that you know how and why we use such data.

1 – How is your personal data collected?

The data we collect or hold about you may come from a variety of sources. Some of it has been collected directly from you, or from your company; some may have been collected in compliance with applicable regulations in the past.

Also under applicable regulations, we may also collect information about you when you interact with us, for example when you visit our websites (https://www.groupeonepoint.com/en/) or when you use our mobile applications, when you call us, when you visit our premises or attend events we organise (meetups, conferences, meetings, etc.), when you participate in contests we organise, or when you use certain social media (twitter, facebook , linkedin, etc.).

Some data may come from sources accessible to the public (for example from the press and websites or applications of all kinds including social media) or from external companies.

2 – Type of personal data, purposes and legal basis

By personal data, we refer to any information about a person from which that person can be identified. This does not include data for which the identity has been deleted (anonymous data).

Below you will find an overview of the different types of data subjects covered by this Privacy Policy as well as:

  • Type of personal data about you that we use and store;
  • Purposes for which this personal data is collected;
  • Legal basis for data processing

Onepoint also processes your data to comply with legal or regulatory requirements. For this purpose, onepoint seeks to:

  • Retain the required data in order to comply with legal requirements;
  • Manage data communication requests from competent authorities

2.1 – Type of data subjects: site users/visitors

Type of personal data

  • Surname, first name
  • E-mail address
  • IP address
  • Connection data (cookies)
  • Any information you may have included in the contact form

Purpose & legal basis for data processing

To enable the proper functioning of our Site (including addressing questions and requests, managing requests based on the rights of individuals, allowing for the resolution of disputes, managing complaints).

Our legitimate interest: customer service management

To enable you to access or use our Site (cookies or third-party analytics service such as Google Analytics).

Our legitimate interest: cookies strictly necessary for the provision of the service you have specifically requested.

To store information about your preferences, and enable us to customise our Site according to your interests (cookies) : Your consent (cookies).

To prepare reports or compile statistics to improve our goods and services (cookies) : Your consent (cookies).

2.2. Type of data subjects: applicants for a position in europe

Type of personal data

  • Full name
  • Telephone number
  • E-Mail address
  • City, Country
  • Any information you may have included on your CV

Purpose & legal basis for data processing

To manage our recruitment programme

Our legitimate interest: management of the recruitment programme

To make a decision about your recruitment and communicate this decision to you

Our legitimate interest: recruitment decision

To conduct statistical analysis and market research studies

Our legitimate interest: to know our market in order to develop our activity

Sending commercial communications about our products or services (such as newsletters with updates from onepoint, promotional offers and quality surveys to assess candidate satisfaction)

Your consent: developing our business

Manage rights relating to your Personal Data, including any questions about how we collect, store and use your personal data, or any request to rectify or delete your Personal Data.

Compliance with a legal obligation

2.3. Type of data subjectfs: customers / prospective customers

Type of personal data

  • Full name
  • Telephone number
  • Business e-mail address
  • Business postal address
  • Title
  • Hierarchy
  • Company name
  • Reports and record of actions
  • Bank details

Purpose & legal basis for data processing

To provide the goods or services that are relevant to you or your employer (including confirming and processing orders, managing your account with us, billing, cashing payments and recovering any outstanding payments).

Pursuant to your contract with us.

Sending non-commercial communications relating to an order or a claim.

Pursuant to your contract with us.

Sending commercial communications about our products or services (such as newsletters with updates from onepoint, promotional offers and quality surveys to assess customer satisfaction).

Our legitimate interest: developing our business.

To provide you with technical assistance.

Pursuant to your contract with us.

To manage and monitor compliance with internal procedures, for the detection and prevention of fraud, other criminal offences and for risk management purposes.

Compliance with a legal obligation and our legitimate interest.

To manage your queries or problems regarding our products and services, including any questions about how we collect, store and use your personal data, or any request from you to obtain a copy of the data we hold about you.

Our legitimate interest: customer service management.

To ensure network and data security

Our legitimate interest: security management.

To conduct statistical analyses and market research studies.

Our legitimate interest: to know our market in order to develop our business.

2.4. Type of data subjects: suppliers

Type of personal data

  • Last name, birth name
  • Date of birth
  • Country of birth
  • Telephone number
  • Business e-mail address
  • Business postal address
  • Title
  • Reports and record of actions
  • Company name
  • SIREN number
  • Bank details

Purpose & legal basis for data processing

Allow us to receive and manage your products and services (including supplier audits and monitoring of quality and logistics incidents).

For the performance of a contract that we concluded with you.

Sending non-commercial communications relating to an order or a claim.

For the performance of a contract that we concluded with you.

To manage and monitor compliance with internal procedures, for the detection and prevention of fraud, other criminal offences and for risk management purposes.

Compliance with a legal obligation and our legitimate interest.

To provide you with technical assistance.

For the performance of a contract that we concluded with you.

To ensure network and data security.

Our legitimate interest: security management.

To conduct statistical analysis and market research studies

Our legitimate interest: to know our market in order to develop our activity.

2.5. Type of data subjects: visitors to onepoint premises

Type of personal data

  • Full name
  • Business e-mail address
  • Company name
  • Title
  • CCTV footage
  • Recording of images such as photographs, video footage and live video streaming

Purpose & legal basis for data processing

To provide you with our goods or services.

Pursuant to your contract with us or your employer’s contract with us.

To provide you with technical assistance.

Pursuant to your contract with us.

To conduct statistical analyses and market research studies.

Our legitimate interest: to know our activity in order to develop it.

Marketing communication actions with different audiences concerning products or services (all media, print, digital, international, fully or by extracts)

Our legitimate interest: developing our business

Sending commercial communications about our products or services (such as newsletters with updates from onepoint, promotional offers and invitations to future events)

Your consent: developing our business

To manage and monitor compliance with internal procedures, for the detection and prevention of fraud, other criminal offences and for risk management purposes

Compliance with a legal obligation and our legitimate interest

To ensure network and data security

Our legitimate interest: security management

3. If you fail to provide personal data

If you choose not to supply the personal data we request, we may not be able to provide you with the products and/or services you have requested or achieve the purposes for which we have requested such personal data.

4. What are personal data flows?

4.1. How do we share your data?

We may share your personal data with companies within the onepoint Group.

We share your personal data with third parties when required by law, when necessary to manage our contractual relationship with you or when we have any other legitimate interest in doing so.

We may need to disclose personal data in response to a request from a regulatory authority, such as the tax authorities or CNIL (the French data protection authority), etc., and/or a court (in response to a judgement, a court order or injunction) upon request or if the law requires us to do so, in order to protect our interests, our property and/or our security and/or those of a third party.

We may also share personal data with companies assisting in the fight against fraud and investigating fraud.

We may also disclose your personal data as part of the fight against money laundering and terrorist financing, with the implementation of monitoring of contracts and/or transactions which could lead to the drawing up of a suspicious activity report or the freezing of assets.

We may transfer your personal data to service providers not affiliated with the onepoint Group, such as:

  • Banks and insurance companies;
  • Providers of computer systems and support for our business, including providers of delivery services, email archiving, backup and disaster recovery service providers, and providers of cybersecurity, hosting and maintenance services;
  • Marketing and advertising service providers.

We will also disclose your personal data to third parties in the following cases:

  • If we sell or buy a business or assets, we may disclose your personal data to the seller or prospective purchaser of this business or these assets;
  • In the event that onepoint or almost all of its assets are acquired by a third party, in which case the personal data held by onepoint will be part of the transferred assets;

In the event that we are bound to disclose or share your personal data in order to comply with any legal obligation, any lawful requirement of the government or law enforcement authorities, and in case it is necessary to comply with national security or law enforcement requirements, or to prevent illegal activity.

Third parties with whom we share your personal data are limited (by law and by contract) in their ability to use your personal data only for the specific purposes we have identified. We will always do our utmost to ensure that third parties with whom we share your personal data are subject to confidentiality and security obligations in accordance with this Privacy Policy and applicable laws. We only allow them to process your personal data for specific purposes and in accordance with our instructions.

Except as expressly stated above, we will never share, sell or lease your personal data to a third party without notifying you and/or obtaining your consent. If you have given your consent for us to use your information in a particular way, but you change your mind afterwards, you can contact us and we will stop doing so.

4.1.1. External providers

As part of our business, especially those regarding recruitment, eLearning and communication, we employ the services of service providers not affiliated with the onepoint Group.

Thus, you may be required to communicate on a voluntary basis, some of your personal data directly on their platform, for example, through subscription to a newsletter or the creation of a personal user account.

For these treatments, the providers act as the Data Controller. For more information, we invite you to read their own privacy policy.

4.1.2. Recruitments efforts

Workday, recruitment platform: https://www.workday.com/en-us/privacy.html .

4.1.3. Online training

360Learning, eLearning platform: https://360learning.com/privacy-policy .

4.1.4. Communications / marketing

HubSpot, communication and marketing platform: https://legal.hubspot.com/privacy-policy .

Contentsquare, develops and provides customer experience analytics services: https://contentsquare.com/fr-fr/privacy-center/privacy-policy

4.1.5. Event management

Eventbrite, event management platform: https://www.eventbrite.com/support/articles/en_US/Troubleshooting/eventbrite-privacy-policy?lg=en_US.

4.1.6. Customer relationship management

Salesforce, CRM plateform : https://www.salesforce.com/eu/company/privacy/.

Survey Monkey, survey platform : https://www.surveymonkey.com/mp/legal/privacy-basics/.

5. Data processing outside the European union

Onepoint does not transfer personal data outside the EEA, to countries that have not been the subject of an adequacy decision by the European Commission within the meaning of article 45 of the GDPR, or without standard contractual clauses of the European Commission having been concluded.

6. Cookies

The term cookie covers all trackers that provide access to information stored in the terminal equipment of a visitor (web beacons, pixels, etc.).

Thanks to cookies, we can collect your connection data (e.g. IP address, geographical position, type and version of your internet browser, operating system, information on your visits and use of our website, etc.).

This helps us improve your browsing experience and site features.

For more information on cookies, please refer to our cookies policy, accessible at the following address: www.groupeonepoint.com/en/cookie-policy.

7. Personal data retention period

We will only retain your personal data for the time necessary to achieve the purposes for which we collected it, including to comply with any legal or accounting requirement.

To determine the appropriate retention period for personal data, we take into account the quantity, nature and sensitivity of personal data, the potential risk of harm resulting from the unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and the possibility of attaining those purposes by other means, as well as the applicable legal requirements.

Processing and retention period

Site user and visitor data

  • Claims, questions, complaints: 3 years following the closure of a claim, question or complaint.
  • Cookies: for more information on cookies, please refer to our cookies policy, accessible at the following address: www.groupeonepoint.com/en/cookie-policy.

Customer data

  • During the term of the contractual relationship with onepoint, plus another 3 years without prejudice to the retention obligations or limitation periods.

Prospect data

  • We store your information for a maximum of 3 years from the last contact.

Supplier data

  • We store your information for a period of time relevant to the purpose for which we process it, and for a maximum of 3 years from the end of our business relationship.

Applicant data in Europe

  • Non-selected applicants: in the event of a negative outcome to an application, we will inform you if we wish to retain your recruitment file, in order to give you the opportunity to request its destruction. If you do not request the destruction of your file, we will automatically delete your file 2 years after our last contact with you.
  • Selected applicants: in the event of a positive outcome to an application, the onepoint staff privacy policy applies.

Onepoint premises visitor data

  • We store your information for a maximum of 3 years from your last visit.

CCTV data

  • We store your information for a maximum of one month from the date of recording.

Bank data

  • We store your information for a period of time relevant to the purpose for which we process it, and for a maximum of 3 years from the end of our business relationship.

After the established deadlines, the data is either deleted or retained after being anonymised, especially for statistical purposes. It may be retained in case of pre-litigation and litigation. It should be noted that deletion or anonymisation are irreversible operations, and that onepoint is no longer able, thereafter, to restore this data.

8. Rights of data subjects

As a data subject, you have a number of rights. These rights are not absolute and each of these rights is subject to certain conditions in accordance with the GDPR and applicable national laws.

The right of access – you have the right to obtain from us the confirmation that your personal data is or is not processed by us, as well as certain other information (similar to that provided in this Privacy Policy) on how it is used. You also have the right to access your personal data by requesting a copy of your personal data. This allows you to know and verify that we use your information in accordance with data protection laws. We may refuse to provide information when it may reveal personal data about another person or negatively affect the rights of another person.

The right to rectification – you can ask us to take steps to rectify your personal data if it is inaccurate or incomplete (for example, if we have the wrong name or the wrong address).

The right to erasure – also known as the “right to be forgotten”. This right allows you, in simple terms, to request the deletion or erasure of your personal data when, for example, there is no compelling reason for us to continue using it, or its use is illegal. However, this is not a general right to erasure and there are some exceptions, for example when we have to use information to defend a lawsuit or to be able to comply with a legal requirement.

The right to restrict processing – you have the right to “block” or prevent further use of your personal data when we evaluate a request for rectification or as an alternative to erasure. When processing is restricted, we may still retain your personal data, but we cannot use it further.

The right to data portability – you have the right to obtain and reuse certain personal data for your own needs in different companies (which constitute separate data controllers). This only applies to personal data that you have provided to us, which we process with your consent and for contract performance purposes, which is processed by automated means. In this case, we will provide you with a copy of your data in a structured, commonly used and machine-readable format or (where technically possible) we will be able to transmit your data directly to another data controller.

The right to object – you have the right to object to certain types of processing, for reasons related to your personal situation, at any time, to the extent that such processing takes place for the legitimate interests pursued by onepoint. We will be allowed to continue processing personal data if we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. If you object to the processing of your personal data for direct marketing purposes, we will no longer process your personal data for such purposes.

The right to withdraw your consent – when we process your personal data on the basis of your consent, you have the right to withdraw your consent at any time. However, such withdrawal does not affect the lawfulness of the processing that took place prior to this withdrawal.

The right to provide us with instructions on the use of your personal data after your death – you have the right to provide us with instructions on the management (e.g., retention, erasure and disclosure) of your data after your death. You can change or revoke your instructions at any time.

9. Exercice of rights

We have appointed Claire DESSUREAULT as Data Protection Officer for the onepoint Group. If you have any questions about this Privacy Policy, the way we process your personal information, or if you wish to exercise any of your rights, please contact Claire DESSUREAULT at the following address: dpo@www.groupeonepoint.com.

If you are not satisfied with our response to your claim or if you believe that the processing of your personal data does not comply with applicable data protection laws, you may file a complaint with the competent data protection supervisory authority. The Commission Informatique et Libertés (CNIL) is the data protection authority in France.

We will review all such requests and provide our response within the time frames provided by applicable law. Please note, however, that certain personal data may be exempted from such requests in certain circumstances, especially if onepoint must continue to process your personal data for its legitimate interests or to comply with a legal requirement.

We will review all such requests and provide our response within the time frames provided by applicable law. Please note, however, that certain personal data may be exempted from such requests in certain circumstances, especially if onepoint must continue to process your personal data for its legitimate interests or to comply with a legal requirement.

We may need to ask you for specific information to help us confirm your identity and to guarantee your right to access this information (or to exercise your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to a person who does not have the right to receive it.

10. How is data protected?

Onepoint ensures that data is processed securely and confidentially, including when certain operations are performed by subcontractors. For this purpose, the appropriate technical and organisational measures to prevent the loss, misuse, alteration and deletion of your personal data are put in place. These measures are adapted according to the level of sensitivity of the processed data and according to the level of risk that the processing or its implementation entail. We have procedures in place to deal with suspected data breaches and we will notify you and any appropriate supervisory authority of an alleged breach when we are legally required to do so.

Unfortunately, the security of data transfers over the Internet or data storage systems cannot be 100% guaranteed. If you have reason to believe that your interaction with us is no longer secure (for example, if you believe that the security of an account you have with us has been compromised), please inform us immediately by contacting us using the aforementioned details.

11. Third party sites

The onepoint site may contain links to other websites operated by third parties. Please note that this Privacy Policy only applies to personal data collected by onepoint. We are not responsible for personal data that third parties may collect, save and use on their own websites. We recommend that you read carefully the privacy policy of each website you visit.

Moreover, the onepoint Group is not responsible for hypertext links to its own site which may be included on third-party websites, even if the onepoint Group has authorised the publisher of the third party website to place such a link.

12. Changes to this privacy policy