Instagram Facebook LinkedIn X-Twitter

Data Privacy Policy

PRELIMINARY ARTICLES – DEFINITIONS 

In the context of personal data processing, the following definitions apply:
"Personal data" means any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); An "identifiable natural person" is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Processing" means: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying;
"Cross-border processing": processing of personal data which takes place in the Union in the context of the activities of establishments in several Member States of a controller or processor, where the controller or processor is established in several Member States; or processing of personal data which takes place in the Union in the context of the activities of a single establishment of a controller or a processor, but which substantially affects or is likely to substantially affect data subjects in several Member States;
"Controller": the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing; where the purposes and means of such processing are determined by Union or Member State law, the controller may be designated or the specific criteria for its designation may be provided for by Union or Member State law;
"Processor": the natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller;
"Consent": any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
"Recipient": the natural or legal person to whom personal data are disclosed, whether a third party or not. 

ARTICLE 1 – IDENTIFICATION OF THE DATA CONTROLLER AND RECIPIENT
In the course of its business of selling audiovisual products, the Publisher is required to process the personal data of its customers.
The data controller is the Publisher.
The recipient of the data collected is also the Publisher. The data collected can only be accessed by the Publisher within the limits strictly necessary for the performance of contractual commitments. This data, whether in individual or aggregate form, is never made freely available for viewing by a third party.
Customers and Users are the persons concerned by the data processing. 

ARTICLE 2 – PROCESSING OF PERSONAL DATA
Within the framework of its contractual relationships, the Data Controller collects and processes information from its customers such as: surname, first name, and email address.
This same personal data may also be processed for IT security purposes and to prevent illegal acts or criminal offenses, in particular to protect the integrity of the website and prevent any fraudulent use.


2.1 Legal basis
2.1.A The first processing is based on Article 6(1)(b) of the General Data Protection Regulation (GDPR), i.e., it is necessary for:
– the implementation of pre-contractual measures taken at the customer's request (response to a request for information, account creation, quote);
– the performance of the sales contract concluded between the Publisher and the customer (order processing, delivery, invoicing).

2.1.B The second is based on Article 6(1)(f) of the General Data Protection Regulation, necessary for the legitimate interests pursued by the controller.


2.2 Purposes of processing
2.2.A Data collected during the pre-contractual phase and during the contractual relationship are subject to automated processing for the following purposes: 
– The performance of contractual commitments
– Contacting customers in the context of monitoring contractual relationships
– Verifying the identity of Customers, when necessary for the performance of the contract.

2.2.B The data collected when creating the customer file is subject to automated processing for the following purposes:
– IT security of the website;
– Prevention of any fraudulent behavior;
– Prevention of misuse of services or violations of the General Terms and Conditions of Use
– Initiation of legal proceedings.


2.3 Data minimization
Pursuant to Article 5(c) of the General Data Protection Regulation (GDPR), the Data Controller instructs its Customers to provide only personal data that is strictly necessary for the performance of contractual obligations. 
The Data Controller undertakes to process only data that is strictly necessary for its professional activities and for the security of the website, and to delete any data received that is not useful for its activities as soon as possible.


2.4 Accuracy of data provided
In accordance with Article 5(d) of the General Data Protection Regulation (GDPR), the data processed by the Publisher must be accurate and up to date.
Therefore, any changes or errors in the entry of an email address must be reported to the Data Controller and corrected by the latter without delay.


2.5 Security of processed data
Personaldata is stored securely, in accordance with current technical standards as defined in Article 5(f) of the General Data Protection Regulation (GDPR).


2.6 Data retention period
The processed data is retained:
– For the duration of the contractual relationship and up to 5 years from the end of said contractual relationship;
– For the period during which the Publisher may be held liable;
– For a period of 5 years for processing related to website security.  
Once these periods have elapsed, the Data Controller undertakes to permanently delete the data of the persons concerned without retaining a copy.

ARTICLE 3 – EXERCISE OF THE RIGHTS OF THE PERSONS CONCERNED
In accordance with the GDPR and the French Data Protection Act, the persons concerned have rights regarding their personal data. They may exercise the following rights:
Right of access to and copying of personal data, provided that such a request does not conflict with business secrecy, confidentiality, or the secrecy of correspondence (Article 15 of the General Data Protection Regulation (GDPR)).
Right to rectify personal data that is inaccurate, obsolete, or incomplete (Article 16 of the General Data Protection Regulation (GDPR)).
Right to request the erasure ("right to be forgotten") of personal data in the following cases (Article 17 of the General Data Protection Regulation (GDPR)): 
The data is no longer necessary for the purposes for which it was collected or processed;
The data subjects object to the processing based on legitimate interest and there is no compelling legitimate reason to continue the processing;
The data collected has been processed unlawfully;
A legal obligation requires its deletion. 
 
Right to data portability: data subjects have the right to the portability of their personal data, only when the processing is based on consent or on a contract, and is carried out using automated processes (Article 20 of the General Data Protection Regulation (GDPR)).
Right to object to the processing of your personal data for commercial prospecting purposes (Article 21 of the General Data Protection Regulation (GDPR)).
Right to give instructions on the fate of the data in the event of death, either through the data subject, a trusted third party, or a beneficiary.
Data subjects may exercise their rights via the following email address:dpo@studiofact.fr
The data controller undertakes to respond as soon as possible, within a maximum period of three (3) months, to requests for access, rectification, erasure, and portability made by data subjects.
They may also contact the CNIL and lodge a complaint directly on its website or by mail at the following address: Commission Nationale de l'Informatique et des Libertés (CNIL), 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07. 


ARTICLE 4 – CROSS-BORDER DATA TRANSFERS
The Publisher uses subcontractors to facilitate the collection and processingof its Customers' data. These subcontractors may be located outside the European Union.
The Data Controller may transfer certain personal data to subcontractors located outside the European Economic Area.
These transfers are carried out exclusively in accordance with the applicable regulations, in particular on the basis of:
– an adequacy decision by the European Commission;
– the recipient's certification under the Data Privacy Framework (list of certified companies available at:https://www.dataprivacyframework.gov/list);
– or the signing of standard contractual clauses approved by the European Commission.
The Data Controller also ensures that the subcontractors concerned offer sufficient guarantees in terms of security, confidentiality, and respect for the rights of the persons concerned.


ARTICLE 5 – TRANSFERS UPON REQUEST OR JUDICIAL DECISION
The persons concerned also consent to the Data Controller communicating the data collected to any person, upon request from a state authority or judicial decision.


ARTICLE 6 – TRANSFERS IN THE CONTEXT OF A MERGER OR ACQUISITION
If the Publisher is involved in a merger, sale of assets, financing transaction, liquidation or bankruptcy, or in an acquisition of all or part of its business by another company, Customers agree that the data collected may be transferred by the Publisher to that company and that that company may process the personal data referred to in these Terms of Use in place of the Publisher.