Last update 6 June 2022
“Applicable Data Protection Laws” means the French legislation on data protection no78-17 of 6 January 1978 as subsequently amended and consolidated and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and onthe free movement of such data, and repealing Directive 95/46/EC, and all other laws and regulations relating to or impacting the processing of Personal Data, if applicable.
“Client” means the Party (or Parties) beneficiary (or beneficiaries) of the Services.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly withothers, determines the purposes and means of the Processing of Personal Data.
“Data Subject” means any identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to the person’s physical, physiological, mental, economic, cultural or social identity.
“DY” means Drones for Yachts SAS, a French joint stock company, whose head offices are located 34 rue deLaborde – 75008 Paris.
“EEA” means the European Economic Area.
“DY Personnel” means all partners, directors, officers, employees, individual contractors and
other personnel of DY.
“Personal Data” means any information relating to an identified or identifiable Data Subject.
“process,” “processes,” “processing,” “processing” and “processed” shall mean any operation or set of operations that is performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use,transfer, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, restriction, erasure or destruction.
“Processor” means a natural or legal person which processes personal data on behalf of the
Controller, pursuant to specific and written instructions.
“Sensitive Personal Data” means Personal Data: (i) revealing information as to a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, offences, criminal convictions, criminal history, trade unionmembership, genetic data, biometric data, health, sex life or sexual orientation; or (ii) which does not fall into any ofthe categories in (i), but which is regulated under national privacy law in the jurisdiction from which it was exported inthe same manner as those types of Personal Data.
“Services” means services to be delivered by DY to Client.
DY processes Personal Data fairly and lawfully in accordance with Applicable Data Protection Laws.
III. DY’s principles for handling Personal Data as a Controller
DY will be “Controller” where it determines the purposes and means by which Personal Data is used. For instance, DYshall be Controller in relation to (i) DY’s Clients and prospective Clients’ data for the purpose of managing DY commercial relationship with them and informing them about the Services, (ii) data regarding DY’s suppliers and subcontractors for the purpose of managing their contractual relationship with DY.
While performing Services, DY may have access to Client’s documents which may contain Personal Data and /or process Personal Data initially collected by Client directly or indirectly from Data Subjects (such as Client’semployees, clients and suppliers).
When DY and Client jointly determine the purposes and means by which Personal Data is used in the context of a mission or Services, DY and Client may be “Joint-Controllers” and shall define precisely, in the relevant engagement letter or contract, the scope of their respective responsibilities. Unless otherwise provided, Client shallremain in charge of informing Data
Subjects of the processing of their Personal Data, their rights, and act as a direct point of contact with them.
In handling Personal Data as a Controller or Joint-Controller, DY and DY Personnel will abide by the following keyprinciples:
Where DY collects Personal Data directly from Data Subjects, DY will provide those Data Subjects with informationabout how DY processes their Personal Data to the extent necessary to ensure that processing is fair and lawful. Incircumstances where DY Clients transfer Personal Data to DY, DY shall not be obliged to inform Data Subjects on the type of Personal Data processing made by DY in connection with the Services.
2- Data minimization and accuracy
Where DY acts as controller, DY ensures that Personal Data is accurate and where necessary, kept up to date.
The Personal Data DY holds must be adequate, relevant and not excessive for the purposes for which they aretransferred and should only be retained for as long as necessary for the purposes of the processing.
Where DY acts as a processor of Personal Data on behalf of a Client, DY will, at the Client’s request, put in placereasonable measures to have that data updated, corrected, anonymized or deleted (subject to certain limitedexceptions).
3- Legal ground of Processing
In accordance with the Applicable Data Protection Laws, the processing of Personal Data must have legal ground.
The applicable Data Protection Regulation also requires DY to inform the Customer of these legal grounds.Therefore, the processing is based on one of the following legal grounds:
- Performance of a contract: the processing of the Personal Data is necessary in order to perform DY’sobligations under a contract;
- Legal obligation: the processing of Personal Data is required in order to comply with a legal obligation suchas keeping records for tax purposes or providing information to a public body or law enforcement agency;
- Legitimate interest: the processing relies on the legitimate interest of DY in running a
lawful business, so long as it doesn’t outweigh the Data Subject’s interest;
- Express consent: in some cases, DY will ask specific permission to process some Personal Data and willonly process the Personal Data if this permission is granted. The consent might be withdrawn at any timeby using the following email address: firstname.lastname@example.org.
DY only collects “sensitive” data when the relevant individuals voluntarily provide this information or where such information is required or permitted to be collected by law or professional standards.
4- Purpose limitation
DY will only process Personal Data for the purposes (i) set out in the contract entered between DY and its Clients or providers; (ii) as required by law; (iii) for the pursuing of DY’s legitimate interests, (iv) for public interests or (v)where consented to it by the relevant Data Subjects.
Examples of the “legitimate interests” referred to above are:
- Processing in the context of a relationship with a Client or a provider;
- Processing of personal data for commercial prospection, to prevent fraud or criminal activity and to safeguardIT systems, assets and places of work;
- Processing to exercise DY’s fundamental rights in the EU under Articles 16 and 17 of the Charter of Fundamental Rights, including the freedom to conduct a business and right to property;
- Processing to benefit from cost-effective services (e.g. DY may opt to use certain IT platforms offered bysuppliers).
5- Data quality and proportionality
Personal Data shall be kept accurate and where necessary, up to date. The Personal Data DY holds must be adequate, relevant and not excessive for the purposes for which they are processed and shall only be retained foras long as necessary for the purposes of the relevant processing.
DY applies its policies relating to the retention of document in compliance with the law, regulatory requirements andother requirements related to its professions. These policies apply to any document or file, in physical or electronic forms. After expiry of the retention period (from 7 to 10 years), documents and files are securely deleted in compliance with standards applicable to our line of business and our policies.
6- Security and confidentiality
Reasonable precautions must be taken to secure Personal Data against accidental or unlawful destruction or loss, alteration, unauthorized disclosure or access. These precautions include technical, physical and organizationalsecurity measures, such as measures to prevent unauthorized access, that are commensurate with the sensitivity of the information and the level of risk associated with the processing of the Personal Data.
7- Data Subjects’ rights
Data Subjects shall have access to their Personal Data that is held by DY, where those requests
(i) are reasonable and permitted by law, (ii) do not violate our ethical obligations and (iii) do not conflict with ourprofessional obligations or any other obligation of confidentiality.
DY agrees to rectify, amend, or delete Personal Data upon request where it is inaccurate or where it is being usedcontrary to these key principles, and to the extent that those rights are not subject to any limitation under applicableregulation.
Data Subjects shall be able to object to the processing of their Personal Data if there are compelling legitimate grounds relating to their particular situation, to the extent required and permitted by Applicable Data Protection Laws. Data Subjects have also a right to data portability pursuant article 20 of the General Data Protection Regulation, as well as the other rights provided by Applicable Data Protection Laws.
8- Sensitive Personal Data
Where DY processes Sensitive Personal Data, it will take such additional measures (e.g., relating to security) as are necessary to protect such Sensitive Personal Data in accordance with Applicable Data Protection Laws.
9- Data used for marketing purposes
Where DY processes Personal Data for the purposes of direct marketing, DY will have effective procedures allowing Data Subjects at any time to “opt-out” from having their Personal Data used for such purposes.
10- Automated Processing
Where DY processes Personal Data on a purely automated basis that has a significant impact on a Data Subject, DYshall give the Data Subject the opportunity to discuss the output of such processing before making those decisions (save to the extent otherwise permitted under Applicable Data Protection Laws).
11- Information transfer and compliance
Personal Data may be transferred outside the country in which it was collected, including countries outside of theEuropean Economic Area, for legitimate business activities in accordance with Applicable Data Protection Laws.
In addition, in accordance with Applicable Data Protection Laws, DY may store Personal Data in facilities operated bythird parties on behalf of DY outside the country in which the Personal Data was collected.
Nevertheless, Personal Data must not be transferred to another country unless the transferor has assurance that anadequate level of protection is in place in relation to that Personal Data as required under Applicable Data ProtectionLaws.
DY will ensure that where Personal Data is transferred to third parties outside of the DY network for processing (for example to DY’s service providers to support DY’s business), it is only done where the Personal Data is adequatelyprotected.
IV. Acting as a Processor
DY will be “Processor” where it processes Personal Data on behalf of a “Controller” who instructs him how it canuse the Personal Data. Where DY acts in a capacity as a Processor of Personal Data on behalf of Clients, it shall act in accordance with the instructions of the Controller of such Personal Data.
DY may be Processor on those Client engagements where Client provides specific instructions on (i) which type ofPersonal Data provided by Client to DY shall be processed by DY, (ii) which operation or set of operations shall be performed by DY on Personal Data, whether or not by automated means, such as collection, recording, organization,structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination,or otherwise making available, alignment or combination, restriction, erasure, or destruction, (iii) for which duration Personal Data shall be processed and stored by DY, (iv) which technical means (such as software or tools) DY shalluse to process Personal Data on behalf of Client, (v) what additional security measures shall be taken by DY.
If complying with such instructions is not possible for any reason (for example due to a conflict with current or future legislation), DY will promptly inform the Client of its inability to comply with its instructions.
When DY ceases to act on behalf of a Client, it will (at the Client’s option) return, destroy or continue to properlyprotect all Personal Data it had received from that Client, save as provided otherwise under applicable law.
Where DY acts as such a Processor, it also has a duty to help Client to comply with the law (subject to the Clientmeeting the DY’s related costs and expenses), for example (i) by informing the Client about the processing activities that DY carry out so that it may inform the relevant Data Subjects; (ii) at the Clients request putting in place reasonable measures to have that Personal Data updated, corrected, anonymized or deleted (subject to certainlimited exceptions).
Where acting as such a Processor of Personal Data, DY will in any event treat such Personal Data in accordancewith the above paragraphs relating to security and confidentiality and information transfer and compliance, onlytransfer Personal Data where the Client has agreed to such a transfer (which it may do in advance under the terms of engagement with DY) and inform the Client if there is serious breach of security in relation to Personal Data so thatit can inform the Data Subjects concerned, where necessary.
V. Retention period for which data will be stored or the criteria used to determine this period
DY makes reasonable efforts to retain Persona Data only for so long as the information is necessary to comply withan individual’s request, as necessary to comply with legal, regulatory or internal policy requirements or until thatperson asks that the information be deleted.
VI. Recipients or categories of recipients of Personal Data
DY does not share Personal Data with third parties, except as necessary to its legitimate professional and business needs to carry out its client’s requests and/or as required or permitted by law or professional standards. This wouldinclude:
- DY’s service providers: DY transfers Personal Data to third-party service providers such as IT systemsproviders, our hosting providers, our payroll providers, consultants (such as legal advisers) and other goodsand services providers. DY works with such providers so they can process Personal Data on DY’s behalf. DY will only transfer Personal Data to them when they meet DY’s strict standards on the Processing of data and security. DY shares Personal Data only in order for them to provide their services.
- In the event of a capital increase, restructuring or transfer to another organisation: DY will transfer Personal Data in connection with the capital increase, sale, assignment or other transfer of thebusiness to which the data relates.
- Courts, tribunals, law enforcement or regulatory bodies: DY will disclose Personal Data in order to respond to request of courts, tribunals, government or law enforcement agencies where it is necessary or prudent to comply with applicable laws, court or tribunal orders or rules, or government regulations.
- Audits: disclosure of Personal Data will also be needed for data privacy or security audits and/or toinvestigate or respond to a complaint or security threat;
- Insurers: professional rules and business requirements mean that DY carries out significant insurance coverin respect of business activities (the “insurance program”). In order to make the insurance program workeffectively, the insurance program involves a number of different participants in the insurance market (e.g brokers, insurers and reinsurers, as well as their professional advisors and other third parties involved shouldthere be a claim). Some of these insurance market participants will require that Personal Data is disclosed tothem.
VIII. Your Rights, Complaints, Questions and Additional Information.
DY is committed to protect your personal information.
Therefore: if DY processes Personal Data about you, you have the following rights:
- Access and correction: you have the right to access to your Personal Data. This is sometimes called “Subject Access Request” and it is free of charge. Before providing personal information to you, DY may askfor proof of identity and sufficient information about your interactions with DY to locate your Personal Data. If the information DY holds about you is incorrect, you are entitled to ask to correct any inaccuracies.
- Object to Processing: you have the right to object to us processing your Personal Data if DY is not entitledto use it anymore.
- Other rights: in addition, you may have the rights to have your personal Data deleted if DY is keeping it too long, the right to have its processing restricted in certain circumstances and/or the right obtain copies of information DY holds about you in electronic form.
You also have a right to data portability, a right of giving instructions regarding your data in the event of death, a rightto limit the processing, and a right to erasure.
You may exercise your rights and request a copy of the suitable safeguards implemented in the event of transferoutside the European Economic Area, by using the following
link: email@example.com. DY will make all reasonable and practical efforts to comply with your request, solong as it is consistent with applicable law and professional standards.
DY will acknowledge your email and seek to resolve your concern within one month of receipt. Where the concern is complex or we have a large volume of concerns, DY will notify you that the concern will take longer than one month to resolve, and we will seek to resolve your concern within three months of the concern being first raised.
DY may accept your request (in which case we will implement one of the measures mentioned
in the section “Data Subjects’ rights” above) or reject it on the basis of legitimate reasons.
In any event, you always have the right to lodge a complaint with the French Data Privacy Regulatory Authority, theCommission Nationale de l’Informatique et Libertés (CNIL).