PERSONAL DATA PROTECTION POLICY

Olinn

SCOPE

This personal data protection policy (the "Policy") is implemented by Olinn (RCS Nanterre 839 313 095) and all of its subsidiaries, direct or indirect, namely:

  • Olinn FG (RCS Nancy 499 747 277);
  • Olinn Finance (RCS Nancy 483 140 935);
  • Olinn Motors (RCS Nancy 753 349 489);
  • Olinn Belgium Srl (a company under Belgian law, company number 0832.533.677);
  • Olinn Luxembourg S.à r.l. (a company under Luxembourg law, RCS B171176);
  • Olinn Deutschland GmbH (a company under German law, Frankfurt am Main HRB 111997);
  • Factum (Suisse) Sàrl (a company under Swiss law, IDE CHE-106.102.332);
  • Olinn Italia S.R.L. (a company under Italian law, REA MI - 2587629);
  • Factum Iberica SL (a company under Spanish law, NIF B01661669);
  • Olinn Leasing (RCS Nanterre 847 508 827);
  • Olinn Mobile (RCS Nanterre 807 510 649);
  • Olinn Mobile SO (RCS Nanterre 825 286 354);
  • Olinn IT (RCS Montpellier 508 642 832);
  • Agences Générales de Location-Services (RCS Aix-en-Provence 326 991 528);
  • Olinn Business Solutions (RCS Nanterre 817 390 180);
  • and Olinn Services Solutions (RCS Nanterre 829 572 783)

Within the context of their respective business activities, all the companies of the group (hereinafter referred to as the "Group") collect and process personal data (hereinafter referred to as the “Personal Data”), as defined by and in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data (hereinafter the "GDPR" ), and in accordance with all regulations in force. The Personal Data collected and processed by the Group relates to its customers, suppliers and partners.

DEFINITIONS

  • "Controller": means, for a Data Processing operation (as defined below), the person in charge of determining the purposes and means of such processing
  • "Data Processor”: means, for a Data Processing operation (as defined below), a person processing Personal Data on behalf of and under the instructions of the Data Controller
  • "Data Processing": means any operation or set of operations (whether automated or not) applied to Personal Data or sets of Personal Data.

PURPOSES OF PERSONAL DATA PROCESSING

The Data Processing carried out by the Group fulfills the following purposes:

  • Customer relationship management;
  • Configuration and repair of the customer's machines;
  • Auditing and data erasure of the customer's machines;
  • Management of the customer's assets/resources;
  • Management of the relationship with partners and suppliers;
  • Commercial prospecting;
  • Dispute management.

CATEGORIES OF PERSONAL DATA COLLECTED AND PROCESSED

The Group complies with the principle of data minimisation; in other words, it only processes Personal Data that is required to achieve the purposes set out above, namely:

  • Regarding the management of the customer relationship, this means the Personal Data necessary for the conclusion and fulfillment of the contract, namely identifying data (last name, first name) and the customer's contact details (postal address, telephone number and e-mail address), as well as the customer's tax data and bank details
  • Regarding the configuration and repair of the customer's machines, this means the Personal Data (last name, first name, e-mail address, usernames) entrusted by customers themselves for the purposes of providing the previously agreed configuration and repair services for their machines (desktop computer, laptop, tablet, mobile phone);
  • Regarding the auditing and data erasure of the client's machines, this means all Personal Data that an audit, as previously arranged with the client, may have revealed to be present on the machines (desktop computer, laptop, tablet, mobile phone) entrusted by them, and the subsequent erasure of said data
  • Regarding the management of the customer's assets/resources, this means the Personal Data (last name, first name, e-mail address) entrusted by customers themselves so that the Group may implement solutions to manage assets (computers) and resources (tablets, mobile phones)
  • Regarding the management of relations with partners and suppliers, this means the Personal Data of the Group's representatives working with these partners, i.e. their identifying data (last name, first name) and contact details (postal address, telephone number and e-mail address)
  • Regarding prospecting, this means the Personal Data (last name, first name, postal address, telephone number and e-mail address) communicated by the client, which is used by the Group for prospecting purposes in strict compliance with the applicable regulations
  • Regarding disputes, this means the Personal Data necessary for the management of the disputes in question, including identification data, contact details and any information related to the dispute.

RECIPIENTS OF PERSONAL DATA

The Personal Data may be communicated to other companies part of the Group, to financial partners and to suppliers, within the limits necessary to achieve the purposes set above.

The Personal Data may be communicated and processed by the subcontractors of the Group, within the limits necessary to achieve the purposes set above.

The Personal Data may be communicated to authorized third parties in order for the Group to comply with all of its legal and regulatory obligations, and with legal and regulatory obligations of the recepients mentioned above.

RETENTION PERIOD FOR PERSONAL DATA

The Personal Data collected may be shared with other companies in the Group, financial partners and suppliers.

Personal Data is also shared and processed by the Group's subcontractors within the limits necessary for the fulfillment of the purposes described above.

Personal Data may also be shared with any authorised third party in the interests of compliance with the Group's legal and regulatory obligations, and in the interests of compliance with the legal and regulatory obligations of the recipients of the Personal Data, as mentioned above.

PERSONAL DATA SECURITY

The Group ensures the availability, integrity and confidentiality of the Personal Data collected and processed. All technical and organisational measures adopted by the Group are intended to preserve the security of data and prevent it from being distorted or damaged, or accessed by unauthorised third parties.

The data is hosted on the Group's servers, all located in France.

RETENTION PERIOD FOR PERSONAL DATA

The Personal Data is kept by the Group for the duration necessary for its processing. Personal Data may be retained for an additional period of time, in accordance with the applicable legal statute of limitations, depending on the Personal Data category and the applicable national legislation.

RIGHTS OF INDIVIDUALS CONCERNED

The Data Processing operations carried out by the Group give the following rights to the naturals persons concerned:

  • the right to access, rectification and deletion of Personal Data under the conditions provided for by the regulations (articles 15 to 17 of the GDPR)
  • the right to limit the processing of such Personal Data under the conditions provided for by the regulations (article 18 of the GDPR)
  • the right to withdraw consent at any time, when the Data Processing is based on consent, under the conditions provided for by the regulations (Article 13-2, point c, of the GDPR)
  • the right to the portability of Personal Data under the conditions provided for by the regulations (Article 20 of the GDPR)
  • the right to object to Data Processing, under the conditions provided for by the regulations (Article 21 of the GDPR)
  • the right to give instructions providing access to data in the event of death
  • the right to lodge a complaint with the competent national Data Protection authority.

To exercise any of the above-mentioned rights, the natural person concerned must write to OLINN - for the attention of the Personal Data Officer - 26, avenue de la Garenne - BP 90362 - 54007 Nancy, or by e-mail to rgpd@olinn.eu. In either case, the natural person shall:

  • specify the purpose of the application (the right concerned)
  • attach proof of his or her identity, or that of his or her representative in the case of representation.

The Policy is subject to subsequent changes, in connection with legal and regulatory changes.