Data protection policy

1. What is personal data?

Personal data is any information that can be used to identify a natural person.

A natural person can be identified:

  • Directly, for example : first and last name
  • Indirectly, for example : telephone number or number plate, identifier, postal or email address, but also voice or image
  • Using a single piece of data, for example: name
  • By cross-referencing a set of data, for example: a woman, born on a given date, living at a given address and working in a given profession

2. Who is responsible for the personal data protection policy?

It is the company, embodied by its director, that creates a data processing operation for a specific purpose and adopts the appropriate means of protection (for example: the company that wishes to send you its newsletter will collect your email address to do so, and is responsible for the personal data protection policy). It is also known as the “data controller”.

We may also be joint data controller. In this case, our decisions are taken by mutual agreement with a partner, usually another company, under a written contract.

We may also process personal data. In this case, we process data because we are carrying out a service on behalf of a data controller. The contract with our partner then describes the guarantees we must provide as a subprocessor: traceability obligation, data protection from the design stage and by default, data security, duty to assist and advise.

You will find detailed information about us on the legal notice page of our website.

Data Controller

EXTRUPLAST

Joint-stock Company (société par actions simplifiée) with capital of 200.000 euros

56 Rue Robert Geffre – 17000 LA ROCHELLE – France

+33 (0) 5 35 54 95 77 – contact@extruplast.net

SIREN: 415 133 412

Intra-Community VAT Number : FR79415133412

 

Legal Representative : Monsieur Gilles Dondainas, Chief Executive

Director of publication : Monsieur Gilles Dondainas, Chief Executive

 

Hosting provider : OVH

EXTRUPLAST is a subsidiary of Groupe Dubreuil

3. What is the purpose of the personal data protection policy?

In the age of digital technology and the digital economy, we want our relationships to be based on trust and mutual interest.

We publish our data protection policy to keep you informed about how we process the personal data entrusted to us. Processing personal data means consulting it, collecting it, storing it, cross-referencing it, using it and so on.

In addition to the objective we seek, our policy also tells you how long we keep your personal data, and what rights you can exercise.

Our policy is regularly updated. We therefore invite you to consult it from time to time on our website www.xpauto.fr or at our offices.

4. Who is the personal data protection policy intended for?

The personal data protection policy applies to all individuals :

  • Website visitor
  • Customer
  • Potential customer (also known as a prospect)
  • Employee (including trainee)
  • Candidate
  • Partner
  • Shareholders, corporate officers and executives

5. What personal data do we process?

At various times, we may collect information about you or those around you.

Here are a few examples, by category of data (examples marked with an asterisk * relate only to employees, candidates or shareholders, and only when the collection of the data is strictly necessary):

  • Civil status: Surname, first name, age, nationality, gender
  • Contact data, telephone, calendar: Email address, postal address, telephone number
  • Language: Mother tongue, other languages spoken
  • Online browsing and information systems data: IP address, connection date, cookies
  • Image and sound recording: Photograph, voice message
  • Hobbies, interests and habits: Preferences and interests
  • Family environment: Family status, household composition
  • Financial and accounting data: IBAN, invoice
  • Equipment identification: Model type, serial number, badge
  • Traffic and vehicles: Registration, geolocation
  • Employee data: Entry date*, salary*
  • Candidate data: Diploma*, training*
  • Identity documents: Passport number*, copy of identity card*
  • Highly personal data: Social security number
  • Conviction and offence data: B3 extract from the criminal record*
  • Sensitive data: Health and disability data

 

The collection of information on persons under the age of 16 is limited to their name, nationality and date of birth, which can only be provided by a person of legal age. If a child in your care sends us personal data, you can ask us to delete it in the ways described below (see “13. How to exercise your rights “).

In order to respond your requests or provide you with the appropriate service, we may need to hold information that indirectly enables us to identify sensitive data, such as your state of health. In this case, we will only collect this data with your prior consent. For example, you can let us know if you have any allergies.

6. What do we do with your personal data?

6.1 We process your personal data in order to achieve a defined objective

Personal data is processed when it is consulted, collected, stored, used, cross-referenced, etc., in order to achieve a defined objective.

We are committed to minimising the data collected, i.e. processing only the personal data that is necessary. For example, to offer you a gift for your birthday, we do not necessarily need your year of birth: Even if certain computer tools collect it, for this purpose, we do not consult your year of birth.

In principle, data should only be processed for a single purpose. If a processing operation serves several purposes, we need to make this clear to you. A piece of data may then become useless for a first purpose but still be necessary for a second purpose. For example, we collect your email address to send you a quotation, but once the quotation has been accepted, we retain your email address to process your order.

6.2 We only process your personal data because we are authorised to do so

The General Data Protection Regulation (GDPR) organises and limits the purposes for which we may collect your data.

If you are our customer, our partner or our employee, we must collect your data in order to conclude and execute the contract between us, until the expiry of the warranties and time limits.

In some cases, we are required by law to retain personal data. For example, we need to be able to identify the origin of our income and the destination of our expenditure in order to meet our accounting and tax obligations.

In other cases, we need your consent to process your personal data. For example, to send you unsolicited commercial offers, or to keep a record of your application.

Finally, the GDPR allows us to simply assess our interest in processing your personal data, provided that this does not create an imbalance between your interests and ours. For example, we may compile sales statistics to get to know our customers better.

6.3 We keep your data for a limited period

Sometimes a few hours are enough to achieve the objective we are seeking. Sometimes the law requires us to keep your data for several years.

Your personal data will only be kept for as long as is necessary to achieve this purpose.

In general, the retention periods are :

  • 2 years after consideration of your unsolicited application or application for one of our job offers
  • 3 years after your last reaction to our commercial offers
  • 5 years after the end of the sale, rental or service contract that we entered into together
  • 10 years after the last monetary exchange between us
  • Up to 50 years after the end of the employment contract we entered into together

 

These are maximum periods, and in certain situations you may ask us to delete your data. For more details, see section “12. What are your rights?” below.

6.4 Summary table

What de we do with the data ?

(Processing)

What is our objective ?

(Purpose of the processing)

Why can we do it ?

(Legal basis)

Whoe does the processing concern ?

(Data subjects)

How long do we keep data ?

(Maximum retention period)

Drawing up a quotation Preparing the contract Contract Customers and potential customers 3 years after the last contact by the data subject
Consulting and updating your customer account Implementing the loyalty programme Contract Customers 5 years after the end of the contract
Satisfaction surveys Evaluating our customer relations Legitimate Interest Customers and potential customers Deletion at the end of processing
Claims management Providing the ancillary services expected by our customers Contract Customers 5 years after the end of the contract
After-sales service Providing the ancillary services expected by our customers Contract Customers 5 years after the end of the contract
Product quality studies Evaluating our offers Legitimate Interest Customers Deletion at the end of processing
Product tests Evaluating our offers Consent Customers and potential customers Deletion at the end of processing
Sales statistics Managing our sales policy Legitimate Interest Customers 3 years after the last contact by the data subject
Electronic commercial prospecting for goods or services that have not already been purchased by private individuals Developing our customer base Consent Customers and potential customers 3 years after the last contact by the data subject
Commercial prospecting by post or telephone calls to individuals Developing our customer base Legitimate Interest Customers and potential customers 3 years after the last contact by the data subject
Commercial prospecting for professionals Developing our customer base Legitimate Interest Customers and potential customers 3 years after the last contact by the data subject
Electronic commercial prospecting for goods and services similar to those already purchased Building customer loyalty Legitimate Interest Customers 3 years after the last contact by the data subject
Bookkeeping, annual accounts and financial statements Keeping accurate accounts Legal obligation Customers, partners, employees, shareholders, officers and directors 10 years after the end of the financial year
Preparation of various tax returns Meeting tax obligations Legal obligation Shareholders and their tax households 10 years after the end of the financial year
Billing and collection management Monitoring and consolidating cash flow Legitimate Interest Customers and partners 10 years after the end of the financial year
Financial study of investment projects Providing financial and banking support Legitimate Interest Shareholders and directors Deletion at the end of processing
Financial, banking and insurance management Providing financial and banking support Legitimate Interest Shareholders and directors 10 years after the end of the financial year
Management control Providing financial and banking support Legitimate Interest Shareholders, directors, employees, customers and partners 10 years after the end of the financial year
Management of securities and company registers Maintaining the legal secretariat Legal obligation Shareholders and corporate officers 10 years after the end of the financial year
Monitoring governance bodies and formalities Maintaining the legal secretariat Legal obligation Shareholders and corporate officers 3 years after the end of the financial year
Negotiating, drawing up or drafting contracts, protocols and various agreements Ensuring contracts are finalised and effective Contract Directors, customers and partners 5 years after the end of the contract or up to 30 years after the contract was signed
Advertising and prospecting Recruitment Legitimate Interest Candidates and employees 2 years after the end of recruitment
Organising interviews with candidates Recruitment Legitimate Interest Candidates and employees 2 years after submitting the application
Drafting employment contracts Recruitment Contract Employees 5 years after the end of the contract
Monitoring remuneration, staff regulations and group benefits Fulfilling the employer’s social commitment obligations Legitimate interest Employees 5 years after the end of the contract or up to 50 years after the end of the contract
Monitoring the number of employees and their individual and collective status Fulfilling the employer’s social commitment obligations Contract Employees 5 years after the end of the contract
Drawing up a training plan Fulfilling the employer’s social commitment obligations Legitimate interest Employees 3 years after the end of the financial year
Forward-looking management of jobs and skills Aligning human resources with corporate strategy and market trends Legitimate interest Candidates and Employees 3 years after the end of the financial year
Implementation and monitoring of employee benefits Fulfilling the employer’s social commitment obligations Contract Employees 5 years after the end of the contract
Organisation of elections and relations with social partners and the social and economic committee Fulfilling the employer’s social commitment obligations Legal obligation Employees 5 years after the event
Management of any employee-related disputes, both individual and collective Fulfilling the employer’s social commitment obligations Contract Employees 5 years after the event
Redundancy or contractual termination procedures Fulfilling the employer’s social commitment obligations Contract Employees 5 years after the employee leaves
Drawing up and monitoring a redundancy plan Fulfilling the employer’s social commitment obligations Legal obligation Employees 5 years after the event

7. Cookies and other trackers

A cookie is a small file containing a series of pieces of information that may be sent to your browser by the website to which you are connecting.

Your browser stores this file for a certain period of time, and sends it back to our server each time you reconnect to our website.

When you first visit our website, a banner will inform you of the presence of cookies and allow you to indicate your preferences.

With the exception of technical cookies, which are strictly necessary for the operation of the website, our cookies are only placed if you accept them using our banner or according to the settings on your browser. We may place audience measurement and statistical cookies, cookies enabling us to offer you tailored advertising, and cookies linking your activity on our website to your activity on social networks.

You will find more detailed information on the Cookie policy page of our website.

8. Who do we collect data from?

In most cases, we collect your data directly from you, when you fill in a form, send us a message, a request or documents concerning you, online, by telephone, by post or at our premises.

We may also collect your data from public or private databases, on the Internet and from our partners.

9. Who can access your personal data?

We are careful to limit access to your personal data, and our employees’ access is limited to what is strictly necessary for their work within our organisation.

We work with many partners. We may then share your data :

  • Either because our partners are our subprocessors and act solely at our request.
  • Or because our partners participate in our contract. For example: A partner who produces a good or service that we have sold to you, and who owes you guarantees of assistance and product safety, or who surveys you to improve its quality
  • Or because you were informed when your data was collected and you expressed your agreement or disagreement.

You can find a list of our partners here. We endeavour to update it regularly. We therefore invite you to consult it from time to time.

In addition to this list, and always provided that you have expressed your agreement or disagreement, we remind you that in order to provide you with relevant offers, we may share your data with our subsidiaries, a list of which can be found on the www.groupedubreuil.com website.

Finally, we are sometimes required by law to disclose your data to the judicial or financial authorities or other government bodies and independent supervisory authorities, in compliance with European and French law, as well as to certain regulated professions, such as lawyers, bailiffs, notaries or audit firms.

10. Can your data be transferred outside the European Union?

We ensure that your personal data is processed and stored within the European Union and under European law.

As an exception, and if justified by the purpose of the partnership, we sometimes exchange with partners outside the European Union. In this case, personal data may be processed outside the European Union, provided that this is accompanied by guarantees that comply with the GDPR, in particular the signing of a contract that follows the model proposed by the European Commission and protects your data (also known as standard contractual clauses, or SCC), or storage in a country recognised by the CNIL for the guarantees it offers (GDPR adequacy decision). These guarantees are mentioned in the list of our partners above.

We may also transfer your personal data to the authorities of third countries in accordance with the regulations in force. In such cases, we ensure compliance with international law.

11. How do we protect your personal data?

We are concerned about the security of the personal data entrusted to us. Confidentiality is very important to us, and we are aware that we must assure you that your data will not be distorted, damaged, destroyed or disclosed to persons or organisations that have no need to know.

We take physical, electronic and organisational protection measures to prevent any breach of your personal data, and these measures are regularly evaluated to check that our organisation is up to date with protection standards.

We implement appropriate internal procedures to raise awareness among our employees and ensure compliance with these measures within our organisation, and we monitor compliance by our partners.

We also recommend that you exercise caution. For example, do not share your logins and passwords, or the equipment on which they are pre-registered.

12. What are your rights?

You have various rights over your personal data, within the limits and conditions authorised by the Law and the rights of third parties :

  • Right of access: You can ask us for a copy of the personal data concerning you that has been entrusted to us.
  • Right of rectification: If you consider that we hold inaccurate or incomplete data, you have the right to have it amended.
  • The right to withdraw your consent at any time for the processing of your data subject to your consent.
  • Right to object: If you consider that our processing is not legitimate because it creates an imbalance between our interests and yours, you may object to this processing.
  • Right to portability: You may ask us to pass on your data to a third party to carry out processing on our behalf, if this is technically possible.
  • The right to erasure, also known as the “right to be forgotten”: You may request the deletion of all your personal data, if your request corresponds to one of the situations provided for by the Law.
  • Right to restrict processing: This is a temporary right enabling you to control how we use your personal data while we process another of your rights, listed above.

You also have the right to give instructions concerning the fate of your personal data after your death.

13. How to exercise your rights?

There are several ways for you to exercise your rights :

  • A link or SMS number allowing you to object to or withdraw your consent, which is communicated to you during our canvassing, surveys and quality studies.
  • A dedicated page to exercise your rights.
  • An email address to exercise your rights.

 

You can also oppose telephone canvassing by contacting the BLOCTEL service.

 

You may, at any time, lodge a complaint with the competent supervisory authority in the country of the European Union in which you habitually reside, your place of work or the place where the alleged breach of the regulations occurred: In France, your complaint should be sent to the CNIL.

This personal data policy was updated on 19 June 2024

Consult our previous personal data protection policy here