Personal data protection

Introduction

As part of its activities, the ORECA GROUP collects and processes your Personal Data in compliance with the amended French Data Protection Act and the General Data Protection Regulation (GDPR) in order to satisfy your needs and requests.

The purpose of this document is to explain the ORECA GROUP’s principles and commitments regarding the protection of Personal Data.

Its purpose is to inform you about:

• The Personal Data that ORECA GROUP collects, and the reasons for its collection,
• How your Personal Data will be used,
• Your rights as a data subject under our data processing.

This Policy applies to the following website :

• oreca.com

What is the scope of this policy?

The Policy applies to any individual with a relationship with the ORECA GROUP.

Who is the Data Controller for your personal data?

The Data Controller for the processing of personal data is:
ORECA GROUP
Parc d’activités du Plateau de Signes
83870 SIGNES, France
SIRET No.: 302 045 794

How does ORECA GROUP implement the protection of Personal Data?

ORECA GROUP complies with the following obligations:

• Build in personal data protection ahead of projects: “Privacy by Design”.

ORECA GROUP undertakes to take into account the protection of your Personal Data and your privacy from the way it designs the services offered to you, thus minimising the risks of non-compliance with the principles of the GDPR and the amended French Data Protection Act.

Accordingly, appropriate technical and administrative measures proportionate to the processing of Personal Data are taken with regard to the purpose sought by ORECA GROUP in the envisaged processing.

The application of this principle also makes it possible to implement preventive measures to limit risks relating to Personal Data.

• Automatically ensure the highest level of personal data protection: “Privacy by default”.

ORECA GROUP implements appropriate technical and administrative measures to ensure that, by default, optimal processing security is planned for and implemented.

What processing, purposes and legal basis are covered by this policy?

The ORECA Group collects and processes data for the purposes described [in the French version of this page] or specified at the time of collection.

What data do we collect?

ORECA GROUP undertakes to collect only data that is strictly necessary to carry out its processing, and not to use this data for any purpose other than that for which it was initially collected.

In relation to Marketing and Communication

The personal data collected are:

• identifying data
• business life data
• login data

In relation to Sales Administration

The personal data collected are:

• identifying data
• business life data
• economic and financial data

In relation to distance selling

The personal data collected are:

• identifying data
• business life data
• login data
• location data

In relation to technology department management

The personal data collected are:

• identifying data
• professional life data
• login data

In relation to management of the Legal and Compliance Department

The personal data collected are:

• identifying data
• business life data
• personal life data

In relation to the Oreca Magny-Cours company

The personal data collected are:

• identifying data
• business life data
• economic and financial data
• Bank data

In relation to buildings and production tools maintenance

The personal data collected are:

• identifying data
• business life data
• video surveillance image data

What is the basis for the legitimacy of our processing?

ORECA GROUP relies on the following legal bases for its processing of personal data: legal obligation, contractual performance, consent and legitimate interest.

Personal data belonging to minors?

Some services may be used by minors.

In this case, the ORECA GROUP ensures that the consent of the parents or legal guardians of minors under the age of 15 is obtained when their personal data are processed or collected.

With whom may your Personal Data be shared?

The collected data are intended for the ORECA GROUP.

Your data may be sent to or shared with, depending on the processing concerned:

• The relevant internal departments of ORECA GROUP;
• Recipients external to the ORECA GROUP: service providers, carriers/deliverers, insurers, statutory auditors, office tools and compliance platform.

These service providers are processors of personal data within the meaning of the GDPR, and this is why the data is accessible to them under a subcontracting agreement that requires them to comply with the principles of this personal data protection policy.

• To “authorised third parties”: CPAM, URSAAF, Trésor Public.

If you would like to obtain the list of ORECA subcontractors, you can contact the data protection officer at: dpo.ext@oreca.fr

Can your Personal Data be transferred outside the European Union?

ORECA GROUP processes most of your personal data within the geographical scope of the European Union (EU).

In the case of transfers of personal data outside the EU, ORECA GROUP ensures that appropriate safeguards are provided.

How long is your Personal Data retained for?

The retention period for your Personal Data depends on the processing carried out.

ORECA GROUP undertakes not to retain your Personal Data beyond the period necessary for the provision of the service, and therefore for your use of the service, plus the retention period imposed by the applicable rules regarding legal limitation periods.

A summary table of all storage periods is currently being prepared by the ORECA GROUP. It will be published and accessible from this paragraph once finalised.

How is your personal data protected?

ORECA GROUP undertakes to take all necessary measures to ensure the security and confidentiality of your Personal Data; specifically, to prevent it from being damaged, erased or accessed by unauthorised third parties.

Only authorised persons can access the data. Any subcontractor personnel are always accompanied and supervised by an employee of the ORECA GROUP and/or the Information System Department (ISD) when accessing the data servers.

We continuously improve our security procedures as technologies evolve to maintain a maximum level of protection. Our staff, and the staff of our subcontractors who have access to personal data, are contractually bound by an obligation of confidentiality.

Organisational measures include restricting access to personal data to authorised persons with a legitimate interest in such access.

Furthermore, in the event of a security incident affecting your Personal Data (destruction, loss, alteration or disclosure), ORECA GROUP warrants that it will comply with the obligation to report Personal Data breaches; for example, to the CNIL data protection authority.

What are your rights in relation to your Personal Data?

You have the right at any time to exercise with the ORECA GROUP the rights provided for by the regulations in force applicable to personal data, provided that you fulfil the conditions and according to the basis of the processing of the data concerned:

• Right of access: you may be entitled to receive your Personal Data processed by the ORECA GROUP on the basis of your consent, the performance of a public service mission, a legal obligation, the fulfilment of your contract or the legitimate interest of the ORECA GROUP;
• Right to rectification: you may rectify, or arrange for the rectification of, your Personal Data processed by ORECA GROUP on the basis of your consent, the performance of a public service mission, a legal obligation, the performance of your contract or the legitimate interest of ORECA GROUP;
• Right to object: you can express your wish that your Personal Data will no longer be processed, if the processing is based on your consent (you withdraw your consent), or on contractual performance (waiver clause of the contract), or in the event of processing carried out in the legitimate interest of ORECA GROUP. However, you may not object to processing carried out in relation to a legal obligation incumbent on the ORECA GROUP, or in relation to the fulfilment of a public service mission that has compelling legitimate grounds that prevail over your rights and freedoms;
• Right to erasure: you may request the deletion of your Personal Data, subject to the legal retention period, if the processing is on the basis of your consent (you withdraw your consent), or on contractual performance (waiver clause of the contract), or in the case of processing carried out in the legitimate interest of ORECA GROUP. However, you may not request the erasure of data from processing carried out in relation to a legal obligation or the performance of a public service mission incumbent on the ORECA GROUP;
• Right to restriction: you may request the suspension of the processing of your Personal Data on the basis of your consent, legal obligation, contractual performance or legitimate interest of ORECA GROUP if you have a request for rectification, erasure or opposition pending, or if you consider the processing to be unlawful;
• Right to portability: you can ask ORECA GROUP to extract your Personal Data so that you have sole access to it if the processing is on the basis of your consent or the fulfilment of a contract. You are not entitled to the right to portability in the event that the processing is carried out in relation to a legal obligation, the performance of a public service mission or the legitimate interest of ORECA GROUP.

How can you exercise your rights over your personal data?

When your Personal Data is collected, you are informed of the address (postal and/or electronic) to which to send your request to exercise your rights, a template of which is appended to this policy.

Any request made via a means that does not eliminate doubt about the identity of the applicant must be accompanied by a copy of proof of identity.

ORECA GROUP undertakes to respond to your requests to exercise your rights as soon as possible, and at the latest within one (1) month of receipt of your request, and insofar as the exercise of these rights does not adversely affect the fulfilment of the contract or compliance with legal and regulatory obligations. Where necessary, this period may be extended by two (2) months in the event of complexity and/or a significant number of requests.

The ORECA GROUP complies with its obligations regarding the protection, security and confidentiality of users’ personal data, and has appointed a Data Protection Officer.

You can contact our Data Protection Officer in the following way:

• Postal address:

Délégué à la Protection des Données (Data Protection Officer)
Service Juridique (Legal Dept)
Groupe ORECA
Parc d’activités du Plateau de Signes
83870 SIGNES, France

• Email: dpo.ext@oreca.fr

You may also file a complaint with the CNIL by sending your requests to the following website: www.cnil.fr/fr.plaintes/internet

Appendix 1

FORM FOR EXERCISING YOUR RIGHTS RELATING TO YOUR PERSONAL DATA FOR THE ATTENTION OF THE ORECA GROUP

In accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter, “GDPR”), you have several rights over your personal data, as well as over the processing of said data.

In order to exercise all the rights granted to you by the GDPR, please complete the form below:

• IDENTIFICATION OF THE REQUESTER

Surname:
………………………………………………………………………………………………………………….

First name:
…………………………………………………………………….......................................................

Postal address:
…………………………………………………………………….......................................................

Email:
…………………………………………………………………….......................................................

• IDENTIFICATION OF THE RECEIVER

Oreca Group :

• Motorsport
• Retail
• Event
• Facets
• Magny Cours
• Human Ressources

In accordance with Articles 39 I and 40 I of Law No. 78-17 of 6 January 1978 on personal data protection, in order for your request for access to your personal data and your request to correct your personal data to be admissible, you must send the necessary information to prove your identity; namely, a copy of a valid proof of identity.

We would also like to remind you that your ability to exercise these rights is limited depending on the basis of the processing. For example, your right to erasure is limited in cases where the data is necessary for the fulfilment of a contract or compliance with a legal obligation.

If you would like to know more about the conditions under which you may exercise your rights, please read the “Your rights regarding your personal data” section of our personal data protection policy.

• SUBJECT OF THE REQUEST
• Request for access to your personal data, i.e. if you want to know whether or not ORECA GROUP processes your personal data, and if so, you want to obtain a copy (in accordance with Article 15 “Right of access by the data subject” of the GDPR).
• Request to rectify your personal data, i.e. if you consider that certain personal data concerning you is inaccurate or incomplete (in accordance with Article 16 “Right to rectification” of the GDPR).

We ask you, where applicable, to specify the data covered by the request for correction:
………………………………………………………………………………………………………………….

• Request to erase your personal data, i.e. if you no longer want your personal data to be processed by ORECA GROUP (in accordance with Article 17 “Right to erasure (“right to be forgotten”)” of the GDPR).

If applicable, please specify the data covered by the erasure request:
………………………………………………………………………………………………………………….

• Request for restriction of processing, i.e. the case where you wish to limit the processing carried out by the data controller, meaning that the personal data concerned can, with the exception of storage, be processed only with your consent (in accordance with Article 18 “Right to restriction of processing” of the GDPR). Such a request may be made only when:
  • You are disputing the accuracy of your personal data for a period of time that enables the controller to verify the accuracy of such data;
  • The processing is unlawful and you object to their erasure and demand that their use be restricted instead;
  • The data controller no longer needs your personal data for the purposes of the processing, but it is still necessary for you to assert, exercise or defend your legal rights;
  • You have objected to the processing pursuant to Article 21(1) of the GDPR during the verification as to whether the legitimate grounds pursued by the data controller prevail over yours.

If applicable, please specify the data covered by the limitation request:
………………………………………………………………………………………………………………….

• **Data portability request;**e. a case in which you wish to receive personal data of yours that has been provided to a data controller and wish to transmit it to another data controller (in accordance with Article 20 “Right to data portability” of the GDPR).

If applicable, please tick the following boxes if:

• You wish to receive your personal data;
• You would like ORECA GROUP to transfer your personal data to another organisation responsible for processing (please provide us with documentary details of said organisation):
  ………………………………………………………………………………………………………………….
• Request to object to data processing, i.e. if you object to the processing of your personal data referred to in Articles 6 § 1 e) or f) of the GDPR, i.e. the processing necessary for the fulfilment of a public service mission by the data controller, or the processing necessary for the purposes of the legitimate interests pursued by the data controller or by a processor, or if you no longer wish your personal data to be processed for marketing purposes (in accordance with Article 21 “Right to object” of the GDPR).

If applicable, please specify the data covered by the request to object to processing:
………………………………………………………………………………………………………………….

Signed at (location) ……………………..…, on (date) ……………………..

Signature