Check out How Wakeo Complements CargoWise in Freight Forwarding: Get your copy NOW!
Personal data protection policy
1. General provisions
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter referred to as the GDPR) sets out the legal framework applicable to the processing of personal data. The GDPR strengthens the rights and obligations of data controllers, data processors, data subjects and data recipients.
Subsequently, and in order to implement the changes of the RGPD, the law n°78-17 of January 6, 1978 known as Informatique et libertés was amended by the law n°2018-493 of June 20, 2018 by the ordinance n°2018-1125 of December 12, 2018 on data protection.
The regulations applicable to the protection of personal data include the following texts:
- the French law on information technology and civil liberties updated with the above-mentioned texts;
- the recommendations of the Cnil.
For a proper understanding of this policy it is specified that:
- the "controller" means the natural or legal person who determines the purposes and means of processing personal data. For the purposes of this policy, the controller is Wakeo;
- “data subjects" are those persons who can be identified, directly or indirectly, by reference to the personal data collected by the data controller, i.e., in the context of this policy, all of Wakeo's contacts related to its customers and prospects, regardless of their status (employees or managers)
Article 12 of the GDPR requires that data subjects be informed of their rights in a concise, transparent, understandable and easily accessible manner.
- "personal data" means any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
- "enriched data": enriched personal data is the opposite of the notion of "raw" personal data provided by the data subject. It is data that is generated by the data controller. It can also be inferred and/or derived data created by the controller on the basis of the data "provided by the data subject";
- "processing of personal data" means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
- "personal data breach" means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
In order to ensure the proper functioning of our company, we are required to process personal data relating to our customers, prospects and partners within the framework of commercial relations and contracts concluded with them.
The purpose of this policy is to meet our obligation to provide information and to remind our clients, prospects and partners of their rights with regard to the processing of their personal data.
1.4. General principles
No processing is carried out by our company regarding data about you if it does not involve personal data collected by or for its services or processed in connection with its services and if it does not comply with the general principles of the GDPR.
Any new processing, modification or deletion of existing processing will be made known to our customers and prospects by means of an amendment to this policy.
2. Identification of treatments
2.1. Categories of data collected and origin of data
The data is mainly collected directly from our contacts with customers and prospects of our company and via our website and online platform.
Accordingly, we only collect and use the data necessary for the conclusion or performance of contracts with our company, namely:
- identity of the contact person(s) in charge of a file or contacted for canvassing purposes (e.g.: title, surname, first name);
- professional contact information of the person(s) in charge of a file or contacted for canvassing purposes (e.g. professional email, professional postal address, professional fixed or mobile telephone number, fax number);
- professional information of the person(s) in charge of a file or contacted for canvassing purposes (e.g.: position, grade, function);
- technical data depending on the use case (identification or connection data such as IP address or logs);
- platform usage data.
2.2. Purposes of the processing
We process data from individuals who interact with us when we have approached the structure to which they belong for prospecting purposes or when they have approached us to contract with us.
Contract and follow-up
We process the data of our customers' contact persons in the context of the contractual relationship with our customers.
Billing, payment and accounting
We process the data of our contacts with our customers and prospects in the context of invoicing and payment of orders placed.
Customer/prospect relationship management
We process the data of our customers and prospects in order to communicate with them in the context of questions that they may ask us in the course of the current or future performance of a contract with our company.
Management of the directory of our customers and prospects
We maintain a directory of our clients and a directory of our prospects, which implies the mention of our main contacts with them.
Organization of events by our company
We process the data of our customers and prospects when we invite them to events that we organize or co-organize.
Sending newsletters or information feeds
When the addresses to which we send our newsletters or news feeds are not contact addresses, we use the data of our contacts with our customers and prospects.
Realization of statistics
We may perform statistical analysis of our customers' and prospects' data.
2.3. Shelf life
We define the length of time we keep the data of our clients and prospects in the light of the legal and contractual constraints that weigh on us and, failing that, according to our needs.
As a matter of principle, data relating to our customers and prospects must be kept for the time strictly necessary to manage the commercial relationship. More precisely, we commit ourselves to respect the following conservation periods:
Contracts with our customers
5 years from the end of the contract
10 years for contracts concluded by electronic means over 120 euros
Commercial correspondence (purchase orders, delivery notes, invoices, etc.)
10 years from the end of the accounting period
Data processed for prospecting purposes
For customers: 3 years from the end of the commercial relationship (from the end of a contract or the last contact from the customer)
For prospects: 3 years from the date of collection by Wakeo or the last contact from the prospect (request for documentation, click on a link in an email, etc.)
1 year from the date of collection
See the cookies policy
The periods indicated in the previous table are necessarily extended for the legal period of prescription as evidence in case of litigation. In the latter case, the retention period is extended for the entire duration of the dispute.
After the set deadlines, the data are either deleted or kept after being anonymized, in particular for statistical purposes. They may be kept in case of pre-litigation and litigation.
You are reminded that deletion or anonymization are irreversible operations and that Wakeo is no longer able to restore them afterwards.
2.4. Legal basis
The processing of data of our contacts with our customers and prospects as presented above is based on the following conditions of lawfulness, which differ depending on whether the processing concerns customers or prospects:
Pre-contractual or contractual performance
Pre-contractual performance or legitimate interest of Wakeo
2.5. Recipients of the data
Recipients of data are defined as the natural or legal persons who receive the personal data. The recipients of data can therefore be both Wakeo employees and external organizations.
We ensure that the data collected and processed in the context of our relations with our customers and prospects are only accessible to authorized internal and external recipients, and in particular to the following recipients
- the personnel of the competent departments authorized to manage the relationship with our clients and prospects and their line managers;
- Support services personnel, i.e. administrative services, logistics and IT services and their line managers;
- our service providers or support services (e.g. IT service provider);
- the competent authorities in the event that we are required to share certain data with judicial officers, departments responsible for internal control procedures, etc. ;
- Administrators of user accounts;
For internal recipients, we decide which recipient will have access to which data according to an authorization policy and ensure that they are subject to a confidentiality obligation.
With regard to external recipients, we inform you that the personal data of our contacts with our customers and prospects may be communicated to some of our service providers or to any authority legally entitled to know about it (tax and social authorities in particular). In this case, Wakeo is not responsible for the conditions under which the personnel of these authorities have access to and use the data.
3. Management of people's rights
3.1. Right of access and right to copy
Our customers and prospects have the right to ask us whether we actually process data about their members (staff, managers, etc.) in the context of the contracts concluded with them or the prospecting messages we send them.
They may also request that we provide them with a copy of their members' data that is being processed.
However, if additional copies are requested, we may require our customers and prospects to pay the cost of the new copy.
If requests from our customers and prospects are made electronically, the information requested will be provided in a commonly used electronic form, unless otherwise requested.
Our customers and prospects are informed that this right of access cannot concern confidential information or data for which the law does not authorize communication.
The right of access must not be exercised in an abusive manner, i.e. carried out on a regular basis with the sole aim of destabilizing the proper execution of our services.
3.2. Right of rectification
Our clients and prospects have the right to ask us to rectify certain data concerning their personnel that are obsolete or erroneous.
3.3. Right to erasure
Our customers can only invoke the right to erasure of their personnel data in the following cases:
- the contract has been terminated and is no longer in effect between our company and its customer;
- Staff members whose data is processed and who are no longer employed by one of our customers and who therefore wish to be removed from our customer database.
Our prospects may invoke the right to erasure of their personal data insofar as they have the right to object to receiving marketing messages.
3.4. Right to limitation
Our customers and prospects are informed that this right is not intended to apply to the extent that the conditions required by the applicable regulations are not met with respect to our processing of the personal data of their staff members with whom we interact.
3.5. Right to portability
Our customers and prospects are informed that this right is not intended to apply when the conditions required by the applicable regulations are not met with respect to our processing of the personal data of their staff members with whom we interact.
3.6. Right to object
Customers and prospects have the right to object to any commercial prospecting by post, telephone or electronic means, including profiling insofar as it is linked to such prospecting.
In the particular case of electronic canvassing, it will be possible at any time for customers and prospects to oppose such canvassing by clicking on the link found in the e-mail sent. By SMS, it is possible to object to any prospecting by sending "stop" to the number appearing in the message received.
3.7. Exercising the rights of our interlocutors
To exercise their rights, our customers and prospects must contact us either in writing or by post or by email at the following addresses: email@example.com
We make every effort to respond to requests within a reasonable time frame and, at best, within one month of receiving the request.
However, in case the processing of requests is complex, or we are faced with a large number of requests to exercise rights simultaneously, the processing time may be extended to two months.
4. Additional provisions
We may use any subcontractor of our choice to process the personal data of our customers and prospects.
Under the GDPR, a processor is any natural or legal person who processes personal data on behalf of the controller. In practice, this means the service providers with whom Wakeo works and who are involved with Wakeo's personal data.
In this case, we ensure that the processor complies with its obligations under the GDPR.
We undertake to sign a written contract with all our subcontractors and impose the same data protection obligations on them as we impose on ourselves. In addition, we reserve the right to audit our subcontractors to ensure their compliance with the provisions of the GDPR.
4.2. Register of treatments
We undertake, in our capacity as data controller, to keep an up-to-date record of all processing activities carried out where required by law.
This register is a document or application that lists all the processing operations carried out by Wakeo as data controller.
We undertake to provide the CNIL, upon first request, with information enabling it to verify the compliance of the processing with the data protection regulations in force.
4.3. Security measures
We implement such physical or logical technical security measures as we deem appropriate to protect against accidental or unlawful destruction, loss, alteration or unauthorized disclosure of data.
These measures include primarily:
- management of authorizations for data access;
- internal safeguards;
- identification process;
- security audits and penetration tests;
- the adoption of an information systems security policy;
- adoption of business continuity / disaster recovery plans;
- the use of a protocol or security solutions.
In any event, we undertake, in the event of a change in the means of ensuring the security and confidentiality of personal data, to replace them with means of superior performance. No change may lead to a reduction in the level of security.
4.4. Data breach
We undertake to notify the CNIL of any data breach that we may suffer in the conditions prescribed by the regulations on personal data.
Our contacts with our customers and prospects are informed of any data breach that could pose a high risk to their privacy.
5.1. Data Protection Officer
We have appointed a data protection officer who can be contacted at the following address for any questions regarding data processing: firstname.lastname@example.org.
5.2. Right to file a complaint with the Cnil
Our contacts with our service providers have the right to lodge a complaint with a supervisory authority, namely the Cnil in France, if they believe that the processing of personal data concerning them does not comply with the European data protection regulations, at the following address
CNIL - Complaints Department
3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07
Tel : 01 53 73 22 22
The present policy may be modified or amended at any time in the event of legal or jurisprudential developments, decisions and recommendations of the CNIL or practices.
Any new version of this policy will be made known to our customers and prospects by any means we choose, including electronically (e.g., by e-mail or online).
5.4. For more information
For further information, you can contact our data protection officer at the following e-mail address: email@example.com
For more general information on the protection of personal data, you can consult the Cnil website www.cnil.fr.