FR ENDE

Personal data protection policy

Last updated on: 26 November 2021

1.     Introduction

As part of its business, Chemouny Associés (hereinafter the “Firm” or “we” or “us”) collects and processes personally identifiable data of the users of the website https://www.chemouny-associes.fr (hereinafter the “Website”), and those of its potential and existing clients, service providers and applicants.

Please read this policy and review it regularly as it may be updated to address changes in the laws and regulations applicable to the protection of personal data, or any changes in our data processing methods.

We agree to make legitimate and proportionate use of your personal data, by collecting only the data that is relevant and necessary for the specific, determined and explicit purposes defined below.

We also vigilantly ensure that the data we process are accurate at all times and therefore ask you to inform us of any changes so that we may rectify or update inaccurate data if necessary.

2.     categories of data collected

We collect your data in several ways, in particular:

  • via the contact form of the Website;
  • while processing the case and documents for which you have commissioned us;
  • as part of our recruitment process;
  • as part of the use of the Website, to improve user experience and for the purpose of analysis. In that respect, please read our policy concerning tracers and cookies (Insert hyperlink to cookies policy).

We may therefore collect the following data:

  • identification data: surname, forename, address, telephone number, email address;
  • if you are a client of the Firm, when such data is strictly necessary for processing your documents, all the data relating to your case, particularly your personal details (including but not limited to date of birth, marital status, nationality, identity documents, etc.), social security, financial, property and/or tax data, or sensitive data (e.g. data about union membership or your health, or your legal record);
  • if you apply for a job with the Firm, your application data including your CV, education, background and work experience, and also any data you choose to include in your CV, such as information about your hobbies and interests;
  • if you are a supplier to the Firm, data about the orders or services provided to us.

3.     purposes of processing and legal bases

Processing and purposes Legal basis (art.6 of the GDPR)
If you are a supplier of the Firm

  • Administrative management
  • Keeping of supplier accounts
  • Performance of contractual measures
  • Compliance with our legal obligations
If you are a client or prospect of the Firm

  • Client or prospect relationship management
  • Keeping of customer accounts
  • Information for clients and prospects and communication on professional social media
  • Monitoring and processing of the client’s case , including video conferences in that regard
  • Website management (contact form)
  • Legitimate interest or performance of contractual measures
  • Compliance with our legal obligations
  • Legitimate interest
  • Performance of contractual measures
  • Legitimate interest
If you apply for a job  

  • Recruitment, including face-to-face or online interviews
  • Candidate relationship management
  • Legitimate interest

Please find below details of the purposes for which we process personal data, and the legal basis corresponding to each type of processing:

 4.     Storage period

We store your personal data only for as long as is necessary for the purposes for which they are processed, in accordance with applicable laws and regulations. The storage period of your personal data depends on the purpose of the processing, as follows:

Processing Storage period
Supplier management
  • 5 years after the end of the commercial relationship
Client and prospect management  

  • Client relations and follow-up of briefs
  • Response to enquiries from prospects via the Website contact form
  • Storage in active database for the duration of the brief and one year after its closure, then archiving in an intermediate database one year after the closure of the brief
  • 3 years from the last contact with the prospect
Administrative management and accounting

  • Invoicing and accounting (clients, suppliers, etc.)
  • 10 years from the end of the relevant accounting period
Human resources management 

  • Job applications
  • 2 years from the last contact

5.     recipients and transfers

The lawyers of the Firm and in some cases our processors within the meaning of the GDPR (hereinafter “Subcontractors”) may access your personal data.

In that respect, the recipients of your data are:

  • the lawyers and members of the Firm authorised to that end by the Firm;
  • legal auxiliaries working on the tasks entrusted to the Firm (such as bailiffs, legal representatives, representing lawyers and various correspondents), publicity and press relations firms as well as private research and investigation companies;
  • French legal authorities;
  • for video conferences: the individuals accessing them and the publisher of the program used;
  • the suppliers of the Firm, to the extent of their involvement (IT provider, telephone company, Website administrator, etc.).

We only provide our Subcontractors with the information that they strictly need to know, and ensure that they act only on our instructions, and forbid them to use your personal data for any other purpose.

We ensure that our Subcontractors provide sufficient guarantees, in particular by implementing technical and organisational measures that are proportionate and appropriate for the categories of data processed, especially with regard to the security of processing.

We may transfer personal data outside the European Union in connection with the use we make of IT tools (such as the Microsoft Office suite or the WeTransfer file sending service).

We also use applications (such as Teams, Zoom, etc.) to organise video conferences. In that context, personal data about organisers and participants may be disclosed to recipients located outside the European Union, in countries that do not offer equivalent protection. The transfer mechanisms we use in this case comply with the requirements of the GDPR and the guidelines of the European Data Protection Board (EDPB) and include the conclusion of standard contractual clauses with our Subcontractors.

6.     security measures implemented and guarantees

We have implemented technical and organisational measures appropriate for the nature of the personal data we process. We ensure the integrity and confidentiality of the data and protect them against any breach.

To that end, we comply with the good practices recommended by the French national authority for the security and defence of information systems (ANSSI) and the French data protection authority (CNIL) (including but not limited to access to administration interfaces and tools restricted to authorised individuals only, the use of firewalls, a password policy in accordance with good practices and the encryption of our databases). 

7.     rights of data subjects and modalities of exercise

We ensure that your rights under applicable data protection legislation and in particular the GDPR are protected.

Your rights are outlined below.

  • right of access: you have the right to request a copy of your data and information, in particular,
  • the purposes of the processing;
  • the categories of data concerned;
  • recipients of your data;
  • data storage period;
  • right to rectification and/or deletion: you may request the rectification of your data if they are inaccurate, incomplete or obsolete.

You may also ask for them to be deleted as permitted by applicable law.

  • right to restrict processing: you may request the restriction of the processing of your data where that is provided for by the applicable law.
  • right to object to processing: for reasons relating to your particular situation, you have the right to object at any time to the processing of your data if the legal basis for the processing carried out by us is legitimate interest.

We will comply with your right to object unless we can demonstrate compelling legitimate grounds for continuing the processing concerned, only if we have found that those grounds outweigh your interests and your rights and freedoms or if the processing concerned is for the establishment, exercise or defence of legal claims.

  • right to portability: you have the right to the portability of your data. Please note that this is not a comprehensive right. Indeed, this right only concerns automated processing and not manual processing or data on paper.

Also, this right is limited to processing that is based on your consent or on the execution of pre-contractual or contractual measures.

  • right to withdraw consent: where the data processing we carry out is based on your consent, you may withdraw it at any time.
  • right to lodge a complaint: you have the right to lodge a complaint with the competent supervisory authority in France (CNIL), without prejudice to any other administrative or legal remedy.
  • right to define post-mortem guidelines: you may define guidelines for the storage, deletion and communication of your data after your death. 

All the rights listed above may be exercised sending an email to the following address [email hidden; JavaScript is required ] or by post at the following address:

Cabinet Chemouny Associés
GDPR correspondent
22, rue La Boétie, 75008 Paris

Please enclose a copy of a document proving your identity in your request.