XCOM is an IT-specialized BTB event organizer based in France and Morocco. As such, it collects and processes a large amount of personal data on behalf of itself, its customers and business partners. XCOM is committed to ensuring that its systems and practices comply with the provisions of the European Data Protection Regulation. The purpose of this personal data charter is to describe the principles implemented by XCOM in order to comply with the regulation and protect the privacy of individuals whose data is processed. It also sets out the general framework for the processing of personal data carried out within XCOM and, in this sense, aims to provide the persons concerned with the information they need to comply fully with the regulations in force. 1 – How is data collected? In the course of its activities, XCOM collects data, some of which identifies individuals or makes them identifiable. 1.1.
Le fondement légal de la collecte : Legislation lists the legal bases for the collection of personal data, otherwise the legitimate justifications for data collection. These legal bases are explained and/or referred to when XCOM collects personal data. As such, XCOM is likely to collect personal data on the basis of: ♦ the consent of the person concerned; N.B.: in France, the CNIL recognizes two exceptions to prior consent in electronic prospecting detailed in a fact sheet on electronic prospecting dated October 2016: – in relationships between professionals, the prior consent of the person concerned is not required for commercial solicitations sent to the professional e-mail address as soon as these solicitations are related to the profession of the person in question. This tolerance is known as the “BtoB exception”. As XCOM’s activities are mainly carried out between professionals, data is often collected following prior information. – prior consent is also not required for any solicitation sent to a data subject for services/products similar to those that this person would have already acquired from the same organization. ♦ performance of obligations under a contract; N.B.: The collection of personal data from our customers and users is necessary in order to perform the terms of the contract (e.g. subscription, subscription to an online service – free or paid,….) and to ensure the supply of the subscribed service or the product acquired by the natural person concerned. Thus, in this context, the individual’s consent is not required since the processing carried out is linked to the performance of the contract. ♦ the legitimate interest¹ of the data controller; N.B.: In certain circumstances, the very nature of the service provided by XCOM involves the collection of personal data from its customers and users and the transmission of this information to designated third parties (e.g. matchmaking services). Such processing, linked to the legitimate interest of the data controller in this hypothesis, is considered a reasonable expectation on the part of the data subject with regard to the description of the service provided. Of course, XCOM constantly assesses whether its legitimate interest is not outweighed by the interest of the data subject or by respect for his or her fundamental rights and freedoms. ♦ a legal obligation making processing compulsory. N.B.: The regulatory context of an activity may make certain data processing and transfer mandatory: e.g. for product or service invoicing, training activities (attendance sheet), etc…. 1.2.
Les modes de collecte :
1.2.1.
la collecte par le biais de formulaires Accessing, using, downloading, purchasing or subscribing to certain services or products implies the collection of personal data concerning the prospective customer or user. In these cases, when filling in paper or electronic forms, people transmit information about themselves. These forms systematically specify : – the name of the data controller, – the purposes associated with the data collection, – whether the data collection is made necessary by the subscription to the service concerned or by the purchase of the product envisaged, – any other uses envisaged and the legal basis for the data collection carried out; – a reference to the relevant pages of this charter on the procedures for exercising rights by individuals, the contact details of the DPO, the rules concerning data retention periods, the procedures for lodging complaints with the supervisory authority, etc… 1.2.2.
la collecte par le biais des cookies The term “cookies” is to be understood in the broadest sense: all traces deposited and/or read, for example, when consulting a website, reading an e-mail, installing or using software or a mobile application. Cookies, which are based on a file that may be stored on the user’s computer during browsing, are used in particular to simplify site browsing (automatic authentication, personalization of certain information, etc.) or to personalize advertising that appears during user browsing. Some cookies are deposited by XCOM directly during browsing on one of its sites. Site users may refuse the use of these cookies at any time by adjusting their browser settings, it being specified that such adjustments may modify the conditions of access to products, content and services requiring the use of cookies. Instructions on how to configure your browser are given in Appendix 2 of this charter. In addition, other cookies are placed by companies outside XCOM in order to collect user navigation data when browsing different sites. XCOM works with some of these companies. To help users detect the cookies that may be installed on their computers, certain sites such as YourOnlineChoices offer tools for listing and configuring your cookies. XCOM sites mainly use the following cookies: Audience measurement cookies : – Google Analytics Social network cookies : – For Linkedin In accordance with current legal provisions, before placing or reading a cookie on a user’s computer, XCOM : – informs Internet users of the purpose of cookies – obtains their consent where this is required; – indicates to users the means of refusing them. Cookies and tracers strictly necessary for the provision of a service expressly requested by the user do not require the prior consent of users. For example, the following cookies do not require user consent: – shopping cart” cookies for a merchant site; – ‘session identifier’ cookies, for the duration of a session, or persistent cookies limited to a few hours in certain cases; – authentication cookies; – session cookies created by a multimedia player; – load balancing session cookies; – certain audience measurement analysis solutions (analytics); – persistent user interface personalization cookies (choice of language or presentation). All other cookies require prior information and a request for consent, for example : – cookies linked to advertising operations; – social network cookies generated by social network sharing buttons when they collect personal data without the consent of the persons concerned; – certain audience measurement cookies. In accordance with CNIL recommendations, consent is obtained by means of a visible banner on the website, which must contain the following information: – the precise purposes of the cookies used; – the possibility of objecting to these cookies and changing the settings by clicking on a link in the banner entitled “Learn more and configure cookies” (with a reference to this paragraph and to Appendix 1 below); – that continued browsing implies consent to the deposit of cookies on the user’s terminal. In general, if the user shares his computer with others, he must ensure that he deletes any cookies installed on his computer via his browser settings. 1.2.3.
la collecte par téléphone XCOM provides certain services by telephone and may collect personal data in the process. Whenever possible, telephone contact is confirmed by e-mail, enabling the person concerned to keep a written record of the conversation and to exercise his or her rights at any time. 1.2.4.
Collecte indirecte XCOM may obtain personal data from third parties (see chapter 5). In such a case, XCOM: – establishes a contract with this third party in accordance with the provisions of the Regulation; – notifies individuals of the transfer of their data to XCOM under the conditions defined by the Regulation; – indicates in its files the source of the data in order to ensure traceability; – informs the individuals concerned of the procedures for exercising their rights. 2. What type of information is collected? Some of the information collected constitutes “Personal Data”, i.e. data concerning individuals that enables them to be identified. In compliance with current legislation, XCOM has adopted the principle of minimization in the collection of data, and only collects data that is strictly necessary for the objective pursued and explained to the individuals concerned, leaving them free to exercise their rights. The personal data likely to be requested, depending on the nature of the services or products provided, are as follows: Mainly : – Your name and contact details, including e-mail and postal addresses, – Your job title, – Your telephone and fax numbers, where applicable for certain products and services: – computer equipment used during browsing, – information relating to your professional background (CV, professional training, awards, etc.), your location data, – your connection and browsing data (IP addresses, logs) etc…. 3. What is the purpose of the data collected?

3.1.
Utilisation des données collectées XCOM may use personal data in its possession in order to: – send commercial information relating to its products, promotions and offers, as well as other information relating to its products or services, tailored to the interests of the data subjects; – transmit information on the products and offers of third parties – XCOM’s customers or commercial partners – in relation to the function and/or with regard to an interest identified in relation to the activity of the data subject or that of the organization to which he or she belongs; – to publish paid directories of professionals and decision-makers in order to offer them products and services related to their functions and/or to an interest identified in relation to the activity of the person concerned or that of the organization to which they belong. This personal data will be used by XCOM for the promotion of its own products and services, and for prospecting on behalf of third parties. It will only be used within the strict limits defined by current legislation. 3.2.
Modalités d’envoi d’information Depending on the contact details collected, XCOM and its partners may transmit information by the following means: – Text message sent to a person (SMS or MMS, notification, e-mail, and/or any other form of electronic message); – Message via social networks; – Telephone; – Postal mail; – Web promotional banner; – Internet search engine. 3.3.
Objectifs de la collecte The purpose of the data collection is systematically indicated when it is carried out directly by XCOM, and recalled when the data is transferred to a third party. XCOM may use a person’s personal data for the following purposes in particular: – In order to register him/her on its websites and/or information systems and to manage the delivery and invoicing of services/products provided by XCOM (including the processing of any searches or requests for information concerning us or concerning its products or services) Ex. In order to be able to perform its obligations under the terms of any contract binding it to the data subject and in the context of the management of this type of contract: e.g.: management of user access identifiers for software, access badges for trade shows, forums, etc.). – For the purposes of complying with legal obligations; eg. Management of attendance at training sessions: For the purposes of monitoring, critically examining and improving its range of products and services; – For the purposes of analyzing connection and browsing data in order to deduce browsing behavior and/or adapt the content offered according to affinities observed; – In order to keep files for internal administrative use (customer complaints, loyalty, etc.); – For the purposes of commercial canvassing on its own behalf or on behalf of its commercial partners and advertisers, in accordance with the law. ); – For commercial prospecting purposes on its own behalf or on behalf of its commercial partners and advertisers, under the conditions defined below in the section “Use of collected data”; – For the purposes of participation in contests, lotteries or promotions. 4.
Comment et combien de temps les données sont-elles stockées ? The data in XCOM’s databases is processed according to strict control rules, in line with the state of the art and the recommendations of the relevant supervisory authority. 4.1.
le Stockage des données à caractère personnel XCOM takes all necessary precautions to preserve the security and confidentiality of Personal Data, and in particular to prevent it from being distorted, damaged or accessed by unauthorized third parties. The recommendations of the French Data Protection Authority (Commission Nationale Informatique et Liberté) are taken into account in security management throughout the Group. 4.2.
la durée de conservation des données et l’archivage The retention period depends on the activity concerned, the nature of the contact (customer or prospect) and industry practice. ♦ XCOM keeps certain mandatory documents (invoices etc…) for the legal retention period. ♦ The retention period for personal data is set by default for XCOM for a period of 5 years. ♦ Some data is kept for a shorter retention period: – Cookies expire thirteen months after their last update. – Prospect data is deleted after a period of 3 years without response to any solicitation. – Candidate CVs are kept for 2 years. ♦ The duration is sometimes linked to the relevance or necessity of its processing: customer data is kept for the duration of the commercial relationship, or data present in directories is kept for the duration of the mandates of the persons concerned. 5. Who are the third parties with access to the personal data collected?
5.1.
A l’intérieur de la société XCOM XCOM is made up of a number of companies, both within and outside the European Union, which may receive personal data from another group subsidiary as part of its functional organization². By way of example, certain processing operations are carried out by one of the staff members of another group subsidiary in order to provide commercial assistance, market research or customer services, as well as account management, the supply of products or services provided now or in the future, or participation in competitions, lotteries or promotions. The marketing and production of certain XCOM products and services are in some cases carried out across several group entities, and the sharing of resources may involve the use of files between several entities in a subcontracting or co-responsibility processing relationship. All intra-group transfers outside the European Union are governed by a contract containing standard contractual clauses (see chapter 7 below). 5.2.
A l’extérieur d’XCOM XCOM may transfer the personal data it collects to various third parties, such as : – customers/partners who have subscribed to a service that may involve the collection of users’ personal data, in particular in the context of a request to be put in contact or in the context of compiling a prospecting file; – service providers, subcontractors and suppliers in order to carry out services on its behalf (for example: technical services, payment services, identity verification, providers of analytical solutions, chat, services ); – other companies, financial organizations or law enforcement agencies/services for the purposes of fraud prevention or detection, where such disclosure is necessary to preserve XCOM’s rights; – where provided for by law or at the formal request of an authority (in particular as part of legal proceedings), public, semi-public or private bodies carrying out a public service mission; – in the event of a merger, acquisition, dissolution or sale of all or part of its assets. The persons concerned will be informed by e-mail and/or by a prominent message on the XCOM website(s) of any change in ownership or concerning the uses of personal data and of the choices available to them. 5.3.
les modalités de travail avec les tiers In the event that personal data is transferred to a third party for any reason whatsoever (e.g. subcontracting services, services provided on behalf of a client), XCOM applies the conditions defined by the legislation in force, in particular informing the persons concerned of the transfer. XCOM ensures that appropriate contractual stipulations between XCOM and the third party concerned guarantee that the latter : – will only use personal data for the purpose specified by XCOM and in accordance with the objectives defined in this charter, – and will have taken appropriate security measures to prevent unauthorized or unlawful processing of personal data, accidental loss or destruction of, or damage to, personal data. 6. Who should I contact for information? XCOM has adapted its organization in order to meet the requirements of the European Data Protection Regulation and to provide all persons with full information on the personal data concerning them collected and on the processing carried out on such data. 6.1 exercising rights of access, opposition, rectification and deletion Any request relating to the exercise of your rights should be sent to info@xcom.fr. This request must include as much information as possible so that it can be processed on receipt within a maximum period of two months: for example, people must specify the e-mail address requested and for which they are sending the request in order to facilitate searches. 6.2 exercising the right to be forgotten Any request concerning personal data appearing in an article from a medium published by XCOM must be sent to the following address: info@xcom.fr. This request must indicate the reasons for the request. Once the deletion of data has been processed, any request for an article to be dereferenced in a search engine must be addressed directly to the said search engine by the person concerned. 6.3 Data portability Any request relating to data portability should be sent to info@xcom.fr, who will advise you on the feasibility of such a request.
6.4 Appointment of a Data Protection Officer (DPO) and recourse to the supervisory authority In order to complete this system, XCOM has appointed a Data Protection Officer who can be contacted at the following address info@xcom.fr for any questions or difficulties relating to the processing of personal data. Any person may contact the National Commission for Information Technology and Civil Liberties (CNIL) directly. 7. Is the data transferred outside the EU? If XCOM communicates Personal Data to one of its subsidiaries or to a third party located outside the European Union, measures are taken to ensure that said data will benefit from the same level of protection as that imposed by the European Union in terms of data protection. As such, XCOM will ensure that the processing is carried out in accordance with this charter and that it is governed by the standard contractual clauses of the European Commission which guarantee a sufficient level of protection of the privacy and fundamental rights of individuals. 8. Are there specific processing methods? XCOM may combine information concerning companies with information provided by individuals under the conditions and for the purposes defined in this charter. The profiling methods used within XCOM consist of carrying out manual or automated cross-referencing between company files and our XCOM contact databases (name, first name, position, email address, etc.), based on objective criteria (size, sector, IT equipment, etc.). 9. Recruitment As part of its recruitment policy, XCOM collects and stores personal data relating to potential candidates. XCOM collects the information necessary to search for the most suitable profiles for the positions to be filled in compliance with the law and the rights and freedoms of individuals. XCOM prohibits itself from transmitting to a third party, the CV with the contact details of an individual, without their consent. Candidates who wish to modify or delete their personal data from our databases may at any time send an email to info@xcom.fr with the subject line “personal data”. The candidate must ensure that the persons given as references agree to be contacted by XCOM. 10. How will you be informed of updates to this charter? XCOM may modify or update this Personal Data Charter. Any update will be posted in places deemed appropriate, so that all users will be notified of the date of the last update. The most important updates may be the subject of a notice on the XCOM institutional website www.xcom.fr at the latest when the said modifications come into force. APPENDIX 1: XCOM Group companies XCOM – 9 rue du Petit Rhône 13470 Carnoux en Provence, France Tel: +33 4 42 70 00 66 XCOM EVENTS – Casanearshore Shore 1 20 000 Casablanca, Morocco APPENDIX 2: Browser settings The settings may change your conditions of access to content and services requiring the use of cookies. If the browser is configured to refuse all cookies, access to all or part of the site may be blocked. In order to manage cookies as closely as possible to user expectations, the browser must be configured taking into account the purpose of cookies. • Microsoft Internet Explorer • Microsoft Edge • Apple Safari • Google Chrome • Mozilla Firefox • Opera 1.1. Recital (47) of Regulation 2016/679: The legitimate interests of a controller (…) may constitute a legal basis for processing, unless the interests or fundamental rights and freedoms of the data subject prevail, taking into account the reasonable expectations of data subjects based on their relationship with the controller. Such a legitimate interest could, for example, exist where there is a relevant and appropriate relationship between the data subject and the controller (…). (…) The processing of personal data for direct marketing purposes may be considered to be carried out for the purpose of a legitimate interest. 2.2. Recital (48) of Regulation 2016/679: Controllers that are part of a group of undertakings or of establishments affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of personal data relating to customers or employees.