Commitment, Process and Implementation
Applicable for all data collected by AMA:
1. Scope of application, security and confidentiality:
This policy details (i) the origin and nature of the data collected by AMA, (ii) why the data is collected by AMA (reason and purpose), (iii) how the data is used by AMA, and (iv) the rights that you have regarding this data, in compliance with law no. 78-17 of the 6 January 1978 (“Loi Informatique et Liberté), as modified, and the Regulation (EU) 2016/676 of the European Parliament and the Council of 27 April 2016 on the protection of personal data, and repealing Directive 95/46/EC “GDPR” (collectively referred to as the “Personal Data Protection Legislation”).
AMA has endorsed security mechanisms restricting the access to personal data, only to legal or natural persons who are allowed by specific authorization or entitled to access personal data.
Furthermore, AMA ensures confidentiality and security of personal information via Non-Disclosure Agreements and, when applicable, via its Terms and Conditions, and for any natural person providing information to AMA. AMA implements organizational and technical of security measures intended to guarantee the confidentiality and integrity of your personal information. All data stored on our servers is protected by measures such as secure portal under HTTPS protocol, encryption of data in transit under TLS protocol, firewalls, antivirus software, access management, intrusion detection.
However, due to the very nature of a worldwide public communication network such as the Internet, you acknowledge that complete security of electronic transmissions through the Internet and integrity of Personal Information cannot be warranted.
In case of a security breach resulting in a personal data breach, we commit to implement the corrective measures as soon as possible and notify such personal data breach to the supervisory authority competent, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, in accordance with the Personal Data Protection Legislation.
AMA may provide on demand a Data Processing Addendum for product or service provided by AMA, specific provisions regarding personal information and confidentiality within the scope of the use of its products and services.
2. Nature of the information collected by AMA and Consent:
2.1. Website – contact form:
2.2. Website – browser data:
• AMA collects information automatically , without you completing forms (ie. date and time of connection of a terminal to an electronic communication service / type of operating system used by the terminal / type and version of the browser software used by a terminal / language of use of the browser software used by the terminal).
• Browser data is collected by the installation of cookies on your terminal.
• Type of cookies: Technical cookies and cookies related to functionality.
• List of tracking cookies used by AMA for audience measurement and tracking of your activity: Google Adwords.
• Cookies placed on AMA website by third parties: Google, Hubspot.
2.3. Using AMA’s services:
As regards contractual relationships between AMA and its customers, and as stipulated in AMA’s Terms & Conditions, the legal representative or Contract signatories is/are informed that their personal data will be processed for the purpose of maintaining the contractual relationship. User data (ie. name/surname/telephone number/email address/username/password/IP address) is automatically collected when using the services. Consent is therefore provided via the signature of the agreement and/or Terms and Conditions of AMA. For further information, refer to Agreement / T&Cs / DPA.
3. Use of your personal information by AMA:
3.1. Legal Basis for the processing purpose:
• Performance of a Contract ;
• Legitimate interest;
• Compliance with legal obligations;
• Performance of a contract.
3.2. Performing “customer management” operations concerning:
• Customer requests (information requests, quotations, orders) ;
• Provision of AMA services ;
• Customer relationship management (including but not limited to performance of satisfaction surveys, complaints management, etc.).
3.3. Categories of personal data
• Contact data ;
• AMA service usage data;
• Browsing data.
3.4. Improving your user experience on AMA websites
• To conduct promotional activities (notably newsletters) ;
• To handle your requests related to the right to access, to correct or express objection regarding your personal information ;
• To adapt the AMA website and services, as well as the content and advertising that they provide;
3.5. Conducting operations relative to direct marketing, including:
• Management and development of commercial statistics.
AMA undertakes to (i) collect, process and use personal data only within the scope of its website and services, (ii) ensure that the security and confidentiality requirements are met while collecting, processing and using data, (iii) provide appropriate training on personal data protection to its personnel.
4. Recipients of your personal information:
4.1. AMA’s teams:
Those who may access and process your personal information are the personnel of AMA in the marketing, sales, legal, accounting, logistics and IT departments in charge of handling customer relations and prospection.
Subsidiaries of AMA Group. AMA is entitled to process contact details collected via the website or the commercial relationship within the legal requirements of the applicable data protection and privacy laws in its latest version, especially the General Data Protection Regulation (GDPR) 2016/76 implemented 25 May 2018, and, to the extent required in connection with the commercial offer and its implementation, to pass on such data to companies affiliated to AMA.
4.3. Subcontractors and commercial partners of AMA, within the frame of agreed contracts and authorizations;
4.4. Ministerial officers and auxiliaries of the legal system, if applicable, within the framework of exercising any procedure and/or provision of public law and order.
5. Data retention:
AMA keeps your personal information for the duration strictly necessary for the management of the commercial relationship.
5.1. Active personal information:
AMA keeps your personal information as long as it is active and/or as long as necessary to provide the services to you;
5.2. Non active personal information:
• Customer data used for commercial prospecting purposes may be kept for a period of three (3) years from the end of the commercial relationship (CNIL deliberation n°2016-264, 21 July 2016, article 5); At the end of this three-year period, AMA (data controller) may contact you again to find out whether you wish to continue receiving commercial solicitations. In the absence of a positive and explicit response from the person, the data must be deleted or archived in accordance with the provisions in force, and in particular those provided for by the French Code de Commerce, Code Civil, and Code de la Consommation.
• Any other information is deleted or anonymized upon the person whose personal information is collected and processed’s request or two (2) years from last use by AMA.
5.3. Data collected for the use of the services (XpertEye) is automatically crypted and anonymized. In cases where the Customer records personal data through the use of the services, AMA cannot access this data as it is encrypted, and the Customer remains solely responsible for the use and/or processing of this personal data. AMA ensures that it provides a solution that does not record any personal data. The User is the only one who can process personal data and is therefore solely responsible for the data processed, if any. Customer and all Users he is liable for shall remain responsible for storage of the data processed directly or indirectly using the services as well as use is made of it. Customer, and all Users he is liable for, undertakes to use the services and any personal data gathered via the services in such a way that is fully compliant with personal data protection regulations, particularly the General Data Protection Regulation (GDPR) 2016/76 implemented 25 May 2018.
6. Information, Consent and Rights:
6.2. The data provided shall be kept as long as such relationship is maintained or for the time necessary to comply with the applicable legal obligations. The data shall not be surrendered to third parties except where there is a legal obligation.
6.3. The owner of the data may exercise at any time, to the extent that it applies (articles 15 and 22 of the GDPR), the rights of access, corrections or deletion, limitation of its processing, objection, portability, and to oppose automated individual decisions. AMA has appointed a Data Protection Officer to whom questions may be raised concerning the processing of personal data. The owner of the data may also lodge a complaint with the French supersory authority « Commission Nationale de l’Informatique et des Libertés », 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07, Tel :01 53 73 22 22. Your requests should be sent in writing or by email to the contact information indicated below, signed and accompanied by a photocopy of an identity document bearing the signature of the holder. The request should indicate the address where the response should be sent. We have a period of 1 (one) month following receipt of the request to respond. That period may be extended by 2 (two) further months where necessary, taking into account the complexity and number of the requests.
AMA: 130 rue Eugène Pottier, 35000 Rennes – France
by email to firstname.lastname@example.org.
7. Transfer of personal information outside the EU:
Within the framework of the purposes listed in 3 of this Pirvacy Policy, all or a portion of the Personal Information collected may be sent to recipients located in a country outside the EU.
AMA makes certain that your Personal Information is effectively protected. As such, all transfers are sent to recipients located:
• in countries having, according to the criteria established by the European Commission, an adequate level of protection of personal data;
• in countries not offering adequate personal protection but to which the transfer is done within the framework of standard contractual clauses specified by the European Commission, or by the adoption of “binding corporate rules”.