Privacy policy

1. Preamble and purpose

In the management of the website accessible at the address https://tse.fr/ (the “Site”), Techniques systèmes elaborés (TSE), the data controller (“we,” “our,” “us”), processes the personal data of users of the Site (“Data Subjects”). We are committed to processing the personal data of Data Subjects in accordance with applicable regulations, including Regulation (EU) 2016/679 of April 27, 2016, known as the General Data Protection Regulation (“GDPR”), and the French Data Protection Act of January 6, 1978, in its updated version (together, the “Applicable Regulations”). In this regard, we undertake to fulfill our obligation of transparency and information towards Data Subjects by providing them with this privacy policy, which aims to inform them about the characteristics of the processing of personal data that we carry out in the context of the use of the Site and the rights they have in this regard.

2. Definitions

Terms beginning with a capital letter are either defined herein or have the meaning given to them by the Applicable Regulations, including the GDPR, such as “Personal Data,” “Processing,” “Data Subjects,” “Data Controller,” “Processor,” “Recipient,” or “Data Breach.”

3. Characteristics of processing

The Processing we carry out using Data Subjects’ Data is presented in the following tables.

3.1 Contact Form

Purpose of Processing: Managing contacts by and with Data Subjects

Legal Basis for Processing: Legitimate interest / Pre-contractual measures

Categories of Personal Data:

  • Professional data (job category)
  • Department
  • Contact data (email address)
  • Connection data (traces, logs)
  • Any other data that may be provided by the Data Subject in their message or attached document(s)

Duration of Processing: 1 year from collection 3 years for personal data related to a prospect, starting from their collection or the last contact initiated by the prospect.

3.2 Newsletter

Purpose of Processing:

  • Management of electronic mailings: sending information about the company, its products, and services to Data Subjects
  • Management of subscriptions
  • Compilation of statistics related to the newsletter service

Legal Basis for Processing: Legitimate interest

Categories of Personal Data:

  • Contact data (email address)
  • Subscription date
  • Statistics related to the newsletter service

Duration of Processing: We retain the email address until the Data Subject unsubscribes (via the unsubscribe link included in the newsletters).

3.3 Cookie Placement

For further information on the processing of your data in the context of cookie placement and other trackers, please refer to our Cookie Policy.

4. Recipients of personal data

We may disclose the personal data of Data Subjects to authorized Recipients who are subject to an appropriate obligation of confidentiality, which may be internal or external, depending on the case: Internal Recipients include:

  • Members of our staff whose duties, functions, and tasks require them to process the personal data of Data Subjects (e.g., communication department, marketing department, customer and prospect relationship department, IT department) solely for the purposes specified in this Privacy Policy and within the technical and organizational measures we implement to preserve the confidentiality and security of the personal data, as detailed below; External Recipients include:
  • Subsidiaries of the SFA Group and the parent company acting as processors whose duties, functions, and tasks require them to process the personal data of Data Subjects (e.g., SFA Tech in charge of IT services within the Group).
  • Service providers or Processors that we may use in the context of Processing (e.g., hosting service providers, call centers, email service providers);
  • Entities responsible for consulting, auditing, and financial control (auditors, lawyers);
  • Administrative or judicial authorities within the scope of their powers;
  • In the event of a fundraising, acquisition, or sale of a business or assets by any means, including the sale of the business conducting that activity or holding those assets, the potential acquirers and their advisors for the purpose of conducting a pre-transaction audit. In the case of acquisition by a third party, the personal data will be part of the transferred assets and will be processed by the acquirer, who will act as the new Data Controller in accordance with their own privacy policy.

5. Rights of data subjects

5.1 Statement of Rights

In accordance with the Applicable Regulations, Data Subjects have the following rights regarding their personal data:

  • The right to request confirmation that data concerning them is being processed, to obtain information about the characteristics of these Processing, to access this data, and request a copy (right of access and copy);
  • The right to have any data concerning them that is inaccurate or outdated corrected or completed (right of rectification);
  • The right to withdraw their consent at any time, provided that the Processing concerned is exclusively based on this legal basis (right to withdraw consent);
  • The right to object to the Processing of their personal data for reasons related to their particular situation and to obtain erasure, in which case we will comply with this request unless the Processing is justified by compelling legitimate grounds (right to object for legitimate reasons and right to erasure);
  • The right to obtain temporary limitation of Processing in the event of a request for rectification or objection for legitimate reasons, during the time we analyze the request, which in practice means that personal data will be retained but not processed (right to restriction);
  • The right to data portability, which means the right to receive, in a commonly used format, the personal data they have provided to us when the Processing is automated and based on consent or the performance of a contract;
  • The right to establish directives regarding the Processing of their data after their death and to request us to keep, erase, or communicate their data to a specifically designated third party, with the understanding that once we become aware of a Data Subject’s death and in the absence of instructions from them, we undertake to delete their personal data unless its retention is necessary for evidentiary purposes or to comply with a legal obligation (post-mortem right).

5.2 Exercise of Rights

When a Data Subject wishes to exercise any of the aforementioned rights, they can contact us via the contact form on the contact page. The request from the Data Subject must come exclusively from them (unless a duly authorized third party) and be as clear and comprehensive as possible to allow us to respond within the timeframes, ranging from one to three months, depending on the complexity of the request. We may request the Data Subject to clarify their request if it is not sufficiently precise, if the right they wish to exercise is not easily identifiable, or if they cannot establish their identity. In such cases, we may ask for additional information, including proof of identity, which will be deleted as soon as their identity is verified. Furthermore, we are not obligated to respond to a Data Subject’s request if it is manifestly unfounded or excessive, particularly if they make repetitive or excessively complex requests that would disrupt our activities.

6. Security

We implement appropriate technical and organizational security measures to preserve the confidentiality and security of the personal data we process and to prevent their destruction, loss, alteration, or unauthorized disclosure. For example, the following measures have been implemented and are documented in a security assurance plan:

  • Hosting of personal data on servers located within the European Union in a member country;
  • Training of our staff who handle Data Subjects’ data;
  • User authentication mechanisms with personal and secure access through strong, confidential, and regularly updated identifiers and passwords;
  • Authorization management procedures (definition and review of authorization profiles based on the user profiles of the information system, deletion of obsolete access);
  • Access tracking mechanisms, login logging, incident management, and, where applicable, encryption of certain personal data;
  • Regular implementation of internal audits and, where applicable, differentiated penetration tests to control and assess the effectiveness of the security measures in place;
  • Physical security of premises (access codes, keys, and badges) and workstations (automatic session locking, antivirus, and firewalls). When we use Processors, i.e., service providers to whom we have delegated all or part of a Processing and who process the personal data of Data Subjects in accordance with our instructions, we undertake to require security guarantees equivalent to those we implement to protect their personal data and reserve the right to conduct an audit of them to ensure compliance with their obligations. In the event of a Data Breach, we undertake to notify the French Data Protection Authority (CNIL) in accordance with the Applicable Regulations and, if the Data Breach poses a high risk to Data Subjects, to inform and provide them with the necessary information and recommendations.

7. Updating of this policy

We may modify, supplement, or update this policy at any time to take into account legal, regulatory, and/or jurisprudential developments, changes in the characteristics of Processing, or the implementation of new Processing.

8. Contacts

Data Subjects can send us any questions or complaints regarding this policy or provide us with recommendations or comments related to it in writing to the following addresses:

  • By mail: Rte de Chèvreville, 60440 Brégy
  • By email: via the contact page on our website Data Subjects can also ask questions to the CNIL or file a complaint with them.