Privacy Policy:
LEGAL BASIS
HOLDER
The person responsible for processing personal data is HEXNOIR Groupe 7 rue Galvani 75017 PARIS — Rcs Paris 90179017000038
PURPOSE OF THE TREATMENT
The
processing aims to ensure an evaluation of the documents transmitted .The processing may concern reports relating to violations of national and European regulations, which govern the activities of HEXNOIR Group, the principles and rules of conduct contained in the Code of Ethics and the Internal Regulations, as well as the provisions contained in the SAPIN II Law, No. 2016-1691 of 9 December 2016, relating to transparency, the fight against corruption and the modernization of economic life.
Reference is made to illegal or fraudulent conduct referring to employees, members of legal entities or third parties who can determine, directly or indirectly, criminal liability, damage to economic integrity and/or image.
Personal data is acquired because it is contained in the report and/or in the acts and documents attached to it.
TYPE OF DATA PROCESSED
The reception and management of alerts result in the processing of personal data within the meaning of article 9 of the RGPD. Only so-called “common” data is processed (name, first name, email address, telephone number). The treatments must not contain particular data such as racial or ethnic origin, political opinions, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data in order to uniquely identify a natural person, data relating to the health or sexual life or sexual orientation of the person (article 9 of the GDPR
).If the report contains particular data or personal data relating to criminal convictions or offenses as defined by the RGPD, (transmitted to the whistleblower or to third parties), the Data Controller will destroy them, except in cases where the processing is authorized by law.
The data provided will be treated while protecting the confidentiality of the whistleblower's identity throughout the procedure under the responsibility of the Data Controller.
LEGAL BASIS FOR THE TREATMENT
The processing meets a legal obligation for HEXNOIR Group within the meaning of article 6, paragraph 1, C. of the RGPD and article 5.3 Treatment of the identity of the author of an alert in the CNIL Repository relating to the processing of personal data intended for the implementation of an alert system, version of 6 June 2023 (Repository - Professional alerts
).PROCESSING METHODS
Personal data will be processed with electronic tools for the time strictly necessary to achieve the purposes for which they were collected
.The processing is carried out in strict compliance with the RGPD and the CNIL Framework relating to the processing of personal data intended for the implementation of an alert system, version of June 6, 2023, in particular the provisions concerning the system for the internal collection and management of professional alerts (DAP).
HEXNOIR Group, with the support of the provider of the WHISTLEBLOWING platform, implements appropriate measures to ensure that the data provided is treated appropriately and in accordance with the purposes for which they are managed.
In accordance with the provisions of articles 24, 25 and 32 of the RGPD, NETHERHACK Group uses security, organizational, technical and physical measures to protect information against alteration, destruction, loss, loss, theft or abusive or illegitimate use.
DATARETENTION PERIOD The data
will be processed for the time strictly necessary to achieve the purposes indicated above, without prejudice to any subsequent conservation in order to comply with legal obligations in compliance with current legislation on the protection of personal data (article 5, paragraph 1, e. of the RGPD and Article 7 of the CNIL Repository relating to the processing of personal data intended for the implementation of a alert device).
The duration of conservation and archiving of personal data relating to an alert will differ depending on whether or not the alert is effective.
If the data controller decides to follow4 an alert, or if disciplinary or litigation action is initiated, all personal data collected during the investigation may be retained until the end of the procedure, until the expiry of the statute of limitations (six years) or exhaustion of remedies (Article 133-3 of the Criminal Code).
In the event that the alert instruction does not lead to any follow-up, personal data must be destroyed or anonymized within two months following the end of the investigation (Sapin II Law).
RIGHTS
In accordance with the provisions of article 15 and following of the GDPR and applicable laws, the data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning him or her is being processed and, if so, access to said personal data
.In accordance with the forms provided for by law, the person concerned has the right to request the correction of inaccurate personal data and the integration of incomplete data and to exercise any other rights in accordance with article 15 and following of the GDPR.
As part of a disciplinary procedure, the data subject has the right to revoke, at any time, his consent to the disclosure of his identity without this affecting the lawfulness of the processing, based on the consent, carried out before the withdrawal (article 13 of the GDPR).
The person concerned has the right to oppose the processing of their data, subject to the conditions for exercising this right in accordance with the provisions of article 9 of the CNIL Framework and article 21 of the RGPD.
These rights can be exercised upon request made by: Email to the address: