Personal Data Protection Policy
(Update date : 2024-12-16 – 10h31 )
Version 2024-12-16 – 10h31
Version 2023-09-01 – 14h42
Preamble
The purpose of this Personal Data Protection Policy (PPDP) is to explain how Cryptolog International, a simplified joint stock company with its registered office at 33 Pl. Ronde 92800, Puteaux, registered in the Nanterre Trade and Companies Register under number 439 129 164, (hereinafter Universign or “we”), a Trusted Service Provider, collects and processes the personal data of the users of our service solutions in its capacity as data controller.
The PPDP is intended for users of Universign services (hereinafter referred to as “users” or “you”) who, as part of the electronic signature services, read and accept the general terms and conditions including the specific personal data processing clauses before each document signature.
The PPDP does not apply to the processing of personal data that Universign may carry out as a subcontractor, which is the case of processing for which our customers alone determine the purposes and means of implementation.
The PPDP does not concern the applicable policy either:
- The processing of personal data collected from our websites outside of any use of our services. This is governed by our Cookie Management Policy and our Privacy Policy.
- Data processing carried out as part of our support activities, in particular sales, marketing, HR, accounting, etc. These are governed by our Privacy Policy.
In this PPDP, “personal data” means information relating to an identified natural person or a natural person who can be identified directly or indirectly from such data, and “processing” means an operation or set of operations relating to personal data, regardless of the process used.
This Policy may be updated as the Universign service evolves or as required by regulation.
1.How do we protect your personal data?
The protection of personal data is a major issue for Universign. As part of our activities, we collect and process your personal data in compliance with the French Loi Informatique et Libertés and the General Data Protection Regulation (GDPR) in order to respond to your needs and requests.
If you would like to know more about Universign’s requirements and commitments regarding the protection of your personal data, you can consult our “Privacy Policy” (link to privacy policy).
2.What processing operations, data, categories of persons, retention periods and grounds are covered by this policy?
In order to use Universign services, certain information must be provided. Failure to provide this information will make it impossible for Universign to process your request to use a service or to provide information about this service.
The personal data used for our services are collected :
- directly from the users of our services;
- by our customers who make Universign services available to users for the needs of their business and who send us the personal data of their users in the course of using the service
- by our commercial partners, with whom we offer joint services and/or who integrate Universign services as part of the services they offer to their customers and who transmit their users’ personal data to us
The GDPR applies regardless of the method used to collect your personal data.
Universign undertakes only to collect data that is strictly necessary for processing and not to divert this data from the purpose for which it was initially collected.
Depending on your use of the service(s), the personal data listed below is used by Universign as part of the services it provides for the following purposes, retention periods and on the following bases:
| Goals | Categories of data processed | Categories of people concerned | Data retention period | Legal basis |
| Create Users’ Universign accounts and manage their access to the Service(s) | Identification data, connection data | User | 12 months after the end of the relationship with Universign | Contractual performance |
| To enable the use of Universign Services | Identification data, connection data | User | 12 months after the end of the relationship with Universign | Consent |
| Creating signature certificates | Identification data, connection data | Signatory | 17 years after the certificate was issued | Contractual performance Legal obligation |
| To keep evidence of electronic transactions for auditing purposes by the supervisory authorities or for production in the event of litigation | Identification data, connection data | User, Signatory | 15 after the end of the Transaction in accordance with the applicable contractual conditions | Contractual performance Legitimate interest |
| Allow Users to request information about Universign Services | Identification data, connection data | User | 12 months after the end of the relationship with Universign | Consent |
| To identify the needs of Users by means of cookies in order to provide them with the most appropriate services | Identification data, connection data | User | 13 months after cookie installation | Consent |
| Provide technical support and ensure that the Service functions properly and is secure | Identification data, connection data | User | 12 months after the end of the relationship with Universign | Contractual performance |
| Improve the Services, adapt their functionalities and develop new ones | Identification data, connection data | User | 12 months after the end of the relationship with Universign | Consent |
| Offer personalised content to make the Services more relevant and/or in line with Users’ expectations | Identification data, connection data | User | 12 months after the end of the relationship with Universign | Consent Contractual performance |
| Notify changes, updates and other announcements relating to the Services | Identification data, connection data | User | 12 months after the end of the relationship with Universign | Consent |
| Storage of signed documents | Identification data for signing, personal data contained in signed documents | User | To be defined according to customer requirements | Contractual performance |
3.To whom may your personal data be communicated?
Apart from the cases provided for in this Privacy Policy, your personal data will never be sold, shared or communicated to third parties by Universign.
Your data may be transmitted or communicated depending on the processing concerned:
- Other Signaturit group entities: Signaturit; Ivnosys; Vialink
- Service providers: subcontractors of personal data within the meaning of the GDPR, which is why data is only communicated to them for specific processing and under our instructions, as part of a subcontracting agreement requiring them to comply with the principles of confidentiality.
- Authorised third parties”: tax authorities, police, justice, social security and other government agencies, who may request access to data under applicable law.
4.Can your personal data be transferred outside the European Union?
As part of the provision of its Services, Universign carries out all the processing of personal data covered by this policy within the territory of the European Union (EU).
5. How is your personal data secured?
Our concern is to preserve the quality, confidentiality and integrity of your personal data.
To ensure the security and confidentiality of the personal data we collect, we use technical means (networks protected by standard devices such as firewalls, network partitioning, adapted physical hosting, etc.) and organisational means (strict and nominative access control, procedures, security policy, etc.).
For a full list of our security measures, please consult our Privacy Policy.
When processing your personal data, we take all reasonable steps to protect it against loss, misuse, unauthorised access, disclosure, alteration or destruction.
Persons with access to your personal data are bound by an obligation of confidentiality, and may be subject to disciplinary action and/or liability if they fail to comply with these obligations.
Despite our efforts to protect your personal data, we cannot guarantee the infallibility of this protection in view of the inevitable risks which are beyond our control. Therefore, if you have a Universign account, it is important that you take care to prevent unauthorised access to this account by keeping your password confidential and ensuring that you disconnect from it when using the same computer.
6.What rights do you have over your personal data?
You may at any time exercise with Universign the rights provided for by current regulations applicable to personal data, subject to meeting the conditions and depending on the basis for the processing of the data concerned:
- Right of access: you may have access to your Personal Data processed by Universign on the basis of your consent or the performance of your contract.
- Right of rectification: you may update your Personal Data or have your Personal Data rectified if processed by Universign on the basis of your consent or the performance of your contract.
- Right to object: you may express your wish that your Personal Data no longer be processed if the processing is based on your consent (you withdraw your consent) or on contractual performance (contractual waiver clause).
- Right to erasure: you may request the deletion of your Personal Data, subject to the legal retention period, where processing is based on your consent (you withdraw your consent) or on contractual performance (contractual waiver clause).
- Right to limitation: you may request the suspension of the processing of your Personal Data based on your consent or contractual performance if you have a pending request for rectification, erasure or objection or if you consider the processing unlawful but Universign objects to the erasure of your Data;
- Right to portability: you may ask Universign to retrieve your Personal Data in order to dispose of it only if the processing is based on your consent or the performance of a contract.
7.How can you exercise your rights with regard to your personal data?
Universign has appointed a Data Protection Officer to ensure the protection of personal data and compliance with the relevant legal and regulatory requirements.
When your Personal Data is collected, you will be given the address (postal and/or electronic) to which you can send your request to exercise your rights. You can send your requests to this address by completing the appendix to our Privacy Policy.
For any further information or complaints concerning the application of the Personal Data Protection Policy, please contact privacy@universign.com
In the event of any unresolved difficulty in connection with the use of your personal data, you may lodge a complaint with the CNIL by sending your request to the following website: www.cnil.fr/fr.plaintes/internet