Privacy policy

Article 1. Introduction

At SOPHYSA, we pay the best attention and the utmost care to your privacy and to your personal data in accordance to the current law and regulations.

Article 1.1. Scope of the privacy policy

The goal of this privacy policy is to give a simple, clean and complete information to the people on the processing activities concerning them and implemented by SOPHYSA in its capacity as controller.

This policy covers the processing required in order to:

• The management of the website www.sophysa.com, the management of the extranet and the processing of requests send by the people to contact@sophysa.com and privacy@sophysa.com

• The management of customers, prospects, suppliers and partners.

• The recruitment

Article 1.2. Identification of the controller

In this policy, « SOPHYSA », « we », « our » and « « ours » refers to

SOPHYSA SA is a limited company, with a registered capital of €500,000, registered with the RCS (Trade and Companies Register) of Evry, under the number B 306 979 584, established 5 Rue Guy Moquet, 91400 Orsay, France.

For all is processing activities, SOPHYSA is the entity which determines the means and purposes and therefore acts as data controller within the meaning of the regulations applicable to personal data and in particular the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter "GDPR").

You can find all the information about SOPHYSA in our legal notice.


Article 2. Definitions

• Personal Data :

o Any information which allows to identify a person directly or indirectly

o Examples:

Name, Identification number, Location data and An online identifier

One or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

• Data Processing :

o Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means

o Examples:

Collection, Recording, Organization, Structuring, Storage, Adaptation or Alteration, Retrieval, Consultation, Use, Disclosure by transmission, dissemination or otherwise making available, Alignment or combination, Restriction and Erasure or destruction

• Data Controller :

o The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data

• Data Processor :

o A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

• Data Protection Officer (DPO) :

o The person responsible for ensuring compliance with the rules on personal data

• Data breach :

o A breach of security resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of personal data transmitted, stored or otherwise processed, or unauthorized access to such data


Article 3. Generalities applicable to all processing activities implemented by SOPHYSA

SOPHYSA ensures for each treatment the respect of the fundamental principles of data protection. This article informs you about the generalities applicable to all the processing activities covered by this policy. The following article details, for each activity, the specific conditions and procedures for implementing the treatment.

Article 3.1. Data minimization

Each form on the website limits the collection of personal data to what is strictly necessary and indicates the purpose (s) of the collection of such data and the recipient (s) of the data.

The data required to manage your request are marked with an asterisk on each form. If you do not fill in these mandatory fields, SOPHYSA will not be able to answer your requests and / or provide you with the requested services. Other information is optional and allows us to better manage your request and improve our communications and services to you.

Article 3.2. Sharing data with third parties and transferring your data outside the European Union

We never share your personal data with other companies for business purposes with the potential exception of the SOPHYSA distributor in your country.

Each section devoted to a processing activity details the internal recipients intended to access and process the data concerned. The data may possibly be transmitted to technical service providers chosen for their expertise and reliability who act on our behalf and according to our instructions (IT subcontractor, host of our servers, etc.).

We authorize these service providers to use your personal data only to the extent necessary to provide services on our behalf or to comply with legal requirements and we strive to ensure that your personal data is protected at all times. .

SOPHYSA may also be required to provide your data to third parties where such communication is required by law, a regulatory provision or a court order, or if such communication is necessary to protect and defend our rights.

All these third parties may come from countries within or outside the European Union ("EU"), including countries that do not offer the same level of data protection as your country of residence. In such a case and to the extent required by applicable law, we will ensure:

• Either to obtain your express and unequivocal consent to share your personal data with these third parties;

• To conclude data transfer contracts complying at least with the standard contractual clauses adopted by the European Commission;

• Either to ensure that these third parties located in the United States are companies that have joined the EU-U.S. Privacy Shield and registered as such with the US administration.

Article 3.3. Data security

SOPHYSA is committed to protecting your personal data against loss, destruction, alteration, access or unauthorized disclosure. To this end, SOPHYSA implements appropriate technical and organizational measures, in view of the nature of the data and the risks that their treatment entails, to preserve the security and confidentiality of your personal data and, in particular, to prevent them from being deformed, damaged, or to prevent unauthorized third parties from having access to it.

Such measures may include, but are not limited to, limited access to data by authorized staff because of their duties, contractual safeguards when using an external service provider, privacy impact assessment, regular reviews of our practices and policies about privacy and / or physical and / or logical security measures (secure access, authentication process, backup copies, antivirus software, firewalls, etc.). ).

Article 3.4. Data about underage people

The services of SOPHYSA are not intended for underage people. Also, we do not collect or knowingly process personal data relating to underage people. In the event that we are aware of the collection of personal data of underage people without the prior authorization of the holder of parental responsibility, we will take appropriate measures to remove personal data from our servers and / or those of our service providers.


Article 4. Data processing controlled by SOPHYSA

Article 4.1. Processing activities performed for the management of the website, the extranet and the requests sent from the online forms

Article 4.1.1. Context of collect

When browsing www.sophysa.com, you may need to make a contact request via the "Contact Us" or "Contact" form.

Article 4.1.2. Data processed

As part of these activities, SOPHYSA processes and stores the following personal data about you to respond to your contact request:

• The information provided on the form, namely :

o Your identity

o Your contact details

o If applicable, the content of the message,

• Any information communicated later during our exchanges.

The basis of the processing activity is the need for processing for the fulfillment of a legal or regulatory obligation, in this case the obligation to respond to the requests made by the data subjects mentioned by the GDPR in Article 12, 2.

Article 4.1.3. Lawful basis and period of storage

The basis of the processing activity is your consent that you express by accepting and submitting the contact request.

This data is processed by the service concerned by your request the necessary time to answer you.

Depending on your request and the content of our exchanges, the data thus collected may be used for other purposes. These processing activities are then subject to the terms and conditions attached thereto.

We also indicate that we make anonymous statistics on the www.sophysa.com website, which do not allow us to identify you.

Article 4.2. Processing activities performed in order to manage prospects, customers, suppliers, and partners

Article 4.2.1. Context of collect

SOPHYSA may also process personal data concerning you when:

• Your company wishes to enter into a contract with SOPHYSA.

• Your company enters into a contract with SOPHYSA as a customer, service provider or partner.

Article 4.2.2. Data processed

In this context, SOPHYSA will collect information relating to:

• To the contact (s) indicated to SOPHYSA such as the contact indicated on the form,the main referent for the contract, the contact for billing or any other contact

o Last name

o First name

o Email address professional

o Business telephone

o Function

o All the information contained in the exchanges (nature of the request, etc.)

• To the signatory (s) of the contract:

o Surname

o First name

o Function

o Signature

Article 4.2.3. Data recipients

These data are intended, as necessary, for the employees in charge of the follow-up of the commercial relationship and / or the partnership, the accounting / invoicing and the collaborators of the services implied by the request / the contract.

Article 4.2.4. Lawful basis and period of storage

They are collected and preserved:

• For non-contracted exchanges:

o The time required to study and track the application + one (1) year after the application is closed (or the last contact if necessary)

• For contracts and in order to execute the contract:

o The duration of the contractual relationship

• For the purpose of responding to our legitimate interest in protecting and defending our rights in the event of litigation :

o For five (5) years following the termination of the contractual relationship.

Article 4.3. Processing activities performed for recruitment purposes

Article 4.3.1. Context of collect

SOPHYSA may process personal data about you when you submit an unsolicited application or apply for an advertisement posted by SOPHYSA (via the "Careers" section of the SOPHYSA website or a linking platform such as Indeed).

Article 4.3.2. Data processed

In this context, personal data about you are collected:

• Directly to you during the recruitment process

• Indirectly with third parties for the verification of your diplomas and references, with your agreement.

The collected data are the following:

• Name,

• First name,

• Email address,

• Telephone,

• Professional experience as well as

• All the information that you communicate to us via the transmission of your application and / or your curriculum vitae and / or interviews:

o Photo

o Skills

o Level of study

o Languages spoken

o Salary expectations

o Personal address

o Hobbies

o Family situation

o Etc.

If you provide us with contact information for a reference, it is your responsibility to ensure that it is informed and has agreed to it.

Article 4.3.3. Lawful basis and period of storage

These data are collected and stored only as part of the management of your application, based on the legitimate interest of SOPHYSA and / or your consent and are not used for any other purpose, including commercial.

They are kept:

• In case of a positive outcome to an application:

o The data relating to an employee are kept for the time of his presence within SOPHYSA and after his departure for the applicable legal retention period.

• In case of negative outcome to an application:

o Six (6) months, unless opposed by you.

Your personal data will in any case be destroyed on request from you (see the section on the contact details of the DPO), within a maximum of 1 month from your request.

Article 4.3.4. Data recipients

These data are processed by SOPHYSA recruiting employees only and, incidentally, for technical and logistical reasons, to SOPHYSA's subcontractors.


Article 5. Exercise of your rights and contact details of our Data Protection Officer

Article 5.1. Your rights

SOPHYSA informs you that you have the following rights under the European Data Protection Regulation and the Data Protection Act of 1978:

• The right to access your data and to see them communicate.

• The right to request the rectification of your personal data.

• The right to request the erasure of your personal data.

• The right to request the restriction of the processing of your personal data.

• The right to object to the processing of your personal data.

• The right to data portability.

• The right to withdraw your consent for the processing of your personal data at any time.

Article 5.2. Where to address your requests

To exercise these rights, please contact SOPHYSA:

• E-mail to privacy@sophysa.com

• By mail, at SOPHYSA, 5 Rue Guy Moquet, 91400, Orsay

All requests must be accompanied by a signed identity document.

Article 5.3. Data processing performed for answering your request

Article 5.3.1. Context of collect

When you exercise your rights, our Data Protection Officer processes your personal data for the purpose of managing your request.

Article 5.3.2. Data processed

The Data processed are:

• Title

• Surname,

• First name,

• Copy of the identity document

• Nature of the request

• Answer provided.

Article 5.3.3. Lawful basis and period of storage

These data are processed for the fulfillment of a legal or regulatory obligation, in this case the obligation to respond to the requests made by the data subjects mentioned by the GDPR in Article 12, 2.

These data are kept for a period of three (3) years, with the exception of a copy of your identity document, which is kept for one (1) year.

Article 5.4. Where to complain

SOPHYSA also informs you that you can file a complaint before the National Commission on IT and Liberties:

• By mail at the address 3 Place Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07,

• Either directly on the CNIL website via an online service at https://www.cnil.fr/en/complaints


Article 6. Data breach notification

In the event that your personal data are accessed, lost or stolen by an unauthorized third party, SOPHYSA will take commercially reasonable measures to notify you to the extent required by law, and will provide you with personal data that have been consulted / disclosed, using the contact information you have provided to us, or by any other reasonable means.


Article 7. Links to third party sites

SOPHYSA's website may contain links to social media platforms managed on third-party servers, by people or organizations over which the company has no control.

As such, SOPHYSA can in no way be held responsible for the way your data will be stored or used on the servers of third parties. We advise you to read the applicable policy regarding the protection of personal data of each third party website that you access via our website to assess how your personal data will be used.


Article 8. Change to this policy

SOPHYSA may modify the data protection policy as needed. We will ensure that you are informed of these changes either by a special mention on our site, or by a personalized warning especially in the context of our sending newsletters. The SOPHYSA Website Privacy Policy was last updated on July 23rd, 2018.