Privacy Policy

This page describes the conditions under which SIGMA-RH Solutions and SIGMA-RH France (hereinafter "SIGMA-HR") process personal data collected from individuals (customers, prospects, etc.).

If you have any questions about this policy, you can send us your request to [email protected].

Privacy Policy

The purpose of this policy is to present the rules relating to the protection of personal data, in the capacity of data controller and subcontractor, which SIGMA-HR undertakes to respect. These rules come in particular in application of the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada and of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Data Protection Regulation or GDPR) of Europe, relating to the protection of natural persons with regard to the processing of personal data and to the free movement of such data, and repealing Directive 95/46/EC in Europe.

This document is likely to evolve, particularly when necessary to meet the obligations of the legislation on the protection of personal data.  We therefore encourage you to visit this dedicated page regularly.

The concepts concerning the protection of personal data used in this document have the same meaning as those given by the PIPEDA or the RGPD.

Compliance with the general principles of personal data protection

When SIGMA-HR acts as a data controller

SIGMA-HR guarantees that personal data are:

processed in a lawful, fair and transparent manner ;
collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with these purposes;
adequate, relevant and limited to what is necessary for the purposes for which they are processed;
accurate and, where necessary, kept up to date;
kept for no longer than is necessary for the purposes for which they are processed;
processed in such a way as to guarantee appropriate security, including protection against unauthorized or illicit processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures adapted to the risks.

When SIGMA-HR acts as a subcontractor

SIGMA-HR guarantees that :

the purposes of the processing are described in the contract signed between SIGMA-HR and its client;
the processing of the client's personal data is carried out only for the purposes determined and on its instructions under the conditions provided for in the contract;
the deletion of the personal data is undertaken at the end of the contract and under the conditions provided for in the contract, except if the applicable law requires this conservation.

Purpose and legal basis of personal data processing

When SIGMA-HR acts as data controller

For its internal needs, SIGMA-HR collects personal data for the following purposes

management of its customer and prospective customer contacts (sending marketing information, product information or Group news, meeting the needs of customers or prospective customers, etc.);
management of its commercial contracts (management of orders, invoicing, collection, etc.);
management of SIGMA-HR personnel, recruitment and careers (screening and contacting candidates, etc.);
creation and administration of user accounts;
implementation and management of services subscribed to by its clients (recording of calls and/or tickets made to support, etc.).

According to these different purposes, SIGMA-HR ensures that one of the following conditions is met:

the consent of the individual has been collected for one or more specific purposes;
the processing is necessary for the execution of a contract to which a natural person is a party or for the execution of pre-contractual measures taken at the request of the latter;
the processing is necessary to comply with a legal obligation to which SIGMA-HR is subject;
the processing is necessary to safeguard the vital interests of a natural person;
the processing is necessary for the purposes of the legitimate interests pursued by SIGMA-HR, unless the interests or the fundamental rights and freedoms of the natural person concerned prevail.

When SIGMA-HR acts as a subcontractor

SIGMA-HR may have to access and process the personal data entrusted by its clients within the strict framework of the contract and services subscribed to.

This access and processing is governed by a contract containing specific data protection clauses signed between SIGMA-HR and its client.

SIGMA-HR processes personal data only on behalf of and on the documented instructions of its client in accordance with the provisions of the said contract.

Security and notification of data breaches

SIGMA-HR implements appropriate technical and organizational measures to ensure a level of security appropriate to the risks.

SIGMA-HR is ISO 27001 certified for its Information Security Management System for the delivery of a service allowing the hosting of applications containing data provided by customers in a cloud environment.

This certification guarantees the implementation of a certified security policy applied to SIGMA-HR's processes and workflows throughout the life of the SaaS service delivered to the customer.

More generally, SIGMA-HR employees are subject to an IT charter to ensure an appropriate level of security.

Any data breach will be notified :

when SIGMA-HR acts as a data controller, to the local supervisory authority and, if necessary, to the individuals affected by the said breach;
when SIGMA-HR acts as a subcontractor, to its clients affected by the said violation under the conditions of the contract between SIGMA-HR and its clients.

Right of individuals

When SIGMA-HR acts as a data controller

Under the conditions provided for by local legislation, individuals have the right to

access personal data concerning them and processed by SIGMA-HR;
request the rectification, erasure or limitation of the processing of their personal data by SIGMA-HR;
under certain conditions, to object to the processing of their personal data;
request the portability of personal data;
when consent is the legal basis of the processing, to withdraw their consent;
to define directives concerning the fate of their personal data in the event of their death.

Requests related to these rights can be sent to [email protected]

SIGMA-HR reserves the right to ask for clarification of any request and to justify the identity of the applicant.

An unsubscribe link is also available in our email marketing communications.

In any case, SIGMA-HR recommends contacting the local control authority (such as the CNIL in France) to find out more about the regulations relating to the protection of personal data, the rights of individuals and the possibility of lodging a complaint with this authority.

When SIGMA-HR acts as a subcontractor

In the event that SIGMA-RH receives a request from an individual concerned with the processing of his or her personal data in the context of the performance of the contract between SIGMA-HR and its client, SIGMA-HR will communicate this request to its client as soon as possible after its receipt and, taking into account the nature of the processing and under the conditions established in the contract, will assist its client, by means of appropriate technical and organizational measures, to the fullest extent possible, in fulfilling its obligation to comply with these requests.

The customer remains responsible for the response to the natural person concerned.

Information of natural persons

When SIGMA-RHHR acts as a data controller

At the time of collection of personal data, SIGMA-HR undertakes to provide the natural persons concerned with at least the following information, as far as possible and whatever the processing carried out:

the contact details of the data controller and its Data Protection Officer;
the purposes of the processing and its legal basis;
the recipients;
transfers outside the EU, if any;
the length of time for which the data will be kept;
the possibility of requesting the exercise of rights that may be exercised in application of the applicable regulations;
the right to lodge a complaint with the control authority.

SIGMA-HR may also receive personal data (name, associated company, telephone number, e-mail address) from third party sources such as lead providers.

This data is only used to :

update, develop and analyze its client/prospect base;
identify new prospects;
to provide information about appropriate SIGMA-HR products and services.

When SIGMA-HR acts as a subcontractor

The responsibility for informing individuals lies with the data controller. Under the conditions provided for in the contract, SIGMA-HR provides its clients acting as data controller with all useful information to enable them to comply with local regulations.

Transfers outside the European Union (where applicable)

The data collected may be processed outside the European Union. Thus, in accordance with the legislation on data protection, SIGMA-HR refrains from transferring Personal Data, without putting in place the adequate tools for the supervision of these transfers in application of article 46 of the RGPD, outside:

the European Union, or
the European Economic Area, or
countries recognized as having an adequate level of security by the European Commission, including companies established in the United States of America certified "Privacy Shield" or, in the event of its invalidation, the mechanism that replaces it.

Recipients of the data

SIGMA-HR may share personal data with third parties only as provided in this document and/or the applicable contract.

To learn more about the recipients, contact us at [email protected].

Service Provider

SIGMA-HR may share personal data with third parties providing a service:

on behalf of SIGMA-HR in the context of the execution of the client contract (hosting, consulting, subcontractor, etc.) under the conditions provided for in the contract;
to assist SIGMA-HR in the execution of the financial and administrative conditions of the contract (collection, billing, etc.);
to carry out marketing communication on behalf of SIGMA-HR.

Distributors and/or sales partners

SIGMA-HR has developed a network of partners (distributors, editors, etc.) for several of its offers in order to help it supply and develop its products.

Depending on the offer that interests the contact or is likely to interest him/her, SIGMA-HR may share the contact information with a relevant partner.

SIGMA-HR subsidiaries

SIGMA-HR may share personal data with SIGMA-HR Group companies for the purposes mentioned in this policy if this is necessary for its realization (contract or application for a position in a subsidiary outside of Canada or France, etc.).

Public authorities

In some cases, SIGMA-HR may be required to share personal data in response to a request from a public authority, a subpoena or any other legal request under applicable laws.

In such cases, SIGMA-HR will provide the data necessary to comply with the request, including when SIGMA-HR believes in good faith that such sharing is necessary to protect your rights, ensure your safety or the safety of others, investigate fraud, or comply with a legal requirement.

SIGMA-HR's cooperation with its clients and the supervisory authority

In accordance with local legislation and in compliance with its contractual obligations, SIGMA-HR undertakes to cooperate reasonably with its clients in order to help them meet their obligations.

In general, SIGMA-HR undertakes to cooperate with the local supervisory authority when necessary and to reasonably take into account its recommendations.

Privacy by design in products and services

When SIGMA-HR plans to develop a new service or offer and in its capacity as a publisher, it will make its best efforts to introduce from the beginning of this project the principles of personal data protection ("privacy by design") and thus help its clients to comply with the requirements of the applicable regulations by specific functionalities and means.

Awareness of SIGMA-HR staff

All new employees at SIGMA-HR are required to undergo an awareness-raising course on the protection of personal data.

More generally, SIGMA-HR makes every effort to offer all its employees regular awareness training on the challenges of personal data protection.

More specific awareness-raising or training sessions may be carried out for employees who are required to handle personal data on a regular basis.

Governance of personal data protection

In order to manage the protection of personal data, SIGMA-HR has set up a dedicated governance structure.

A Data Protection Officer (DPO) has been appointed and declared to the relevant local supervisory authorities. The DPO leads this governance.

A strategic committee acts transversally on all of the company's activities, supported by an operational committee composed of the DPO and the relays within SIGMA-HR.

Data processing registers

SIGMA-HR maintains two personal data processing registers:

a register describing the processing carried out in its capacity as data controller;
a register describing the processing carried out on behalf of and on the instructions of its clients who are responsible for the data processing.

These records are made available to the relevant local supervisory authorities upon request.

Contractual policy

SIGMA-HR has taken into account the mandatory contractual obligations under local legislation in all the clients and contracts affected.

Thus, contractual clauses specific to data protection and in compliance with applicable regulations have been introduced in particular in :

license agreements (GTC/UG);
contracts between SIGMA-RH and its own subcontractors.

Contact

For any question relating to this policy, you can contact our Data Protection Officer and send your request to [email protected].