You can access your data and obtain a copy (Article 15 of the GDPR), obtain the rectification of inaccurate or incomplete data (Article 16 of the GDPR), object to the processing of your data (Article 21 of the GDPR) and obtain the erasure of your data (Article 17 of the GDPR). In certain cases, you have the right to portability (Article 20 of the GDPR) and to the limitation of processing under the conditions provided for by Article 18 of the GDPR. To exercise your rights, send an email to rgpd (at) peopleforai.com
—
The French company GAMAED, trading name People for AI, located at 1 Allée André Guillot – 78160 MARLY LE ROI – FRANCE, represented by its President, Mathieu WARNIER (hereinafter referred to as “GAMAED”), hereby describes its commitment to complying with the General Data Protection Regulation (GDPR) in its business support functions. Its data labeling, data entry, data cleaning activities are covered by Data Processing Agreements, signed with the clients.
Mathieu WARNIER is the Data Controller on the Gamaed side and can be reached at rgpd (a) peopleforai.com.
Customers, suppliers and any other entity commissioning GAMAED to process its data (hereinafter “Data Controllers”, defined as the entity that determines the why and the how for processing personal data) accept the terms hereof by working with GAMAED.
Categories of Processed Data
The company processes the following data as part of its business support functions :
- For employee management (based on a contract): first name, last name, CV, postal address, email address, national identification number, date of birth, tax class, criminal record (as allowed in the competent juridiction), bank account, salary, sick leave certificates;
- For supplier management (based on a contract): first name and last name of the contact person, postal address, email address, phone number, position in the company, industry sector, language;
- For the management of external contact lists to the company: first name, last name, email address, position in the company, industry sector, language;
- For customer management: first name and last name of the contact person, postal address, email address, phone number, position in the company, industry sector, language;
Data provided by customers for operational activities is managed on an ad-hoc basis and documented by the respective Data Controllers. This processing may be subject to an ad-hoc Data Processing Agreement.
Categories of recipients of processed data
As part of its day-to-day management and administration:
- For administrative management of suppliers and customers, data is transferred to employees in managerial or supervisory positions;
- Employee data is transferred to an external organization for the preparation of pay slips;
Personal data of contacts outside the company will be transferred to employees in charge of sales and marketing. - For the processing of Personal Data provided by the Companies responsible for processing, data may be processed by subcontractors. In this case and in compliance with the company’s GDPR commitments, the Companies responsible for processing are notified in writing or by ad-hoc contract of these data transfers. GAMAED may not recruit another subcontractor without the prior written authorization, specific or general, of customers or suppliers.
Our web services are hosted by OVH and Google Workspace represents our primary cloud storage provider, although ad-hoc contracts with customers allow us to use other cloud services, always after customer agreement.
Mutual acknowledgement of obligations and commitments
The Companies responsible for processing acknowledge that the data provided to GAMAED has been collected in strict compliance with the General Data Protection Regulation (hereinafter GDPR) and that the natural persons concerned by the data collection:
- are aware of the reason for the collection of the various data concerning them ;
- and understand how their data will be processed.
These companies ensure that data subjects have control over their data, making it easier for them to exercise their rights.
Given the nature, scope, context, and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, GAMAED implements appropriate technical and organizational measures to ensure and be able to demonstrate that processing is carried out in accordance with the GDPR. Our company commits to only process personal data based on documented instructions from the Data Controller companies.
While taking into account the nature of the processing, GAMAED commits to assisting the responsible companies in processing, through appropriate technical and organizational measures, in fulfilling their obligation to respond to requests from the concerned individuals who approach them to exercise their rights as outlined in Chapter III of the General Data Protection Regulation. GAMAED also commits to helping these responsible companies ensure compliance with the obligations set out in Articles 32 to 36 of the General Data Protection Regulation.
Processing procedure, security level and availability
In order to guarantee a level of security appropriate to the risk, the Companies responsible for processing, as well as GAMAED, undertake, as required:
a) pseudonymization and encryption of personal data;
b) means to guarantee the constant confidentiality, integrity, availability and resilience of processing systems and services;
c) means for restoring availability and access to personal data within an appropriate timeframe in the event of a physical or technical incident;
d) a procedure for regularly testing, analyzing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.
GAMAED remains at the disposal of Companies responsible for processing so that they can obtain all the information necessary to demonstrate compliance with the obligations provided for by the GDPR.
Obligation to Inform
GAMAED undertakes to immediately inform the Data Controllers if, in its view, an event or instruction constitutes a breach of the GDPR or other provisions of Union law or the law of Member States relating to data protection. GAMAED undertakes to notify the Data Controllers in writing of any Personal Data Breach as soon as possible after becoming aware of it.
Heritability of Commitments
GAMAED undertakes to ensure that its employees, Subcontractors, agents, and the employees of these entities comply with the commitments made herein. GAMAED undertakes not to disclose such information to anyone who does not have a legitimate need for it to fulfill the services required by the Data Controllers.
Retention Period
Employee data: 2 years of retention after an employee leaves the company.
Supplier data: 3 years of retention after the termination or end of the service or sales contract.
Data of external contacts to the company: 2 years after the initial collection or last update of contacts.
Data provided by customers: No retention after the delivery of data related to the service provisions.
Rights of the Concerned Individuals
You can access the data concerning you and obtain a copy (Article 15 of the GDPR), request rectification of inaccurate or incomplete data (Article 16 of the GDPR), object to the processing of your data under the conditions provided for by Article 21 of the GDPR, and obtain the deletion of such data under the conditions provided for by Article 17 of the GDPR. In certain cases, you have the right to data portability (Article 20 of the GDPR) and to restrict processing under the conditions set out in Article 18 of the GDPR.
Complaint
If you believe that our processing of your data constitutes a violation of the GDPR, you should first contact our Data Protection Officer (DPO) at the address rgpd (at) peopleforai.com. Then, only if an amicable solution has not been found within 2 months, you can file a complaint with the CNIL (www.cnil.fr).