Personal Data Protection Policy v08/23
The purpose of this Personal Data Protection Policy (PDPP) is to explain how the company Cryptolog International, a simplified joint-stock company headquartered at 7 rue du Faubourg Poissonnière, 75009 Paris, listed in the Paris Trade and Companies Register under number 439 129 164, (hereinafter Universign or “we”), Trust Service Provider, collects and processes the personal data of the users of its services as data controller.
The PDPP is addressed to users of the Universign services (hereinafter “users” or “you”) except signatories, who, within the context of electronic signature services, agree to carefully read and accept the general conditions included in the specific personal data processing clauses before signing each document.
The PDPP does not apply to the personal data processing that Universign may carry out as sub-processor, as is the case for any processing for which our customers alone determine the purposes and means of implementation.
Neither does the PDPP apply to the relevant policy:
- on processing the personal data of applicants for a post in Universign and more generally,
- on processing personal data collected through our websites outside of any use of our services.
These are managed by the Information notice on personal data on the website.
Within this PDPP, “personal data” means any information relating to an identified natural person or one who may be directly or indirectly identified though this data, and the term “processing” refers to an operation or set of operations carried out on personal data, whatever the procedure employed.
Collection of personal data
The communication of certain information is mandatory in order to use Universign services. If this data is not communicated, it will not be possible for Universign to process your request to use a service or for information about this service.
The legal bases for processing may depend on the circumstances: contract execution or consent.
The personal data used as part of our services is collected:
- directly from the users of our services;
- by our customers who provide Universign services to users, for their own needs, and who pass us the personal data of their users as part of using the service
- by our trade partners, with whom we offer shared services and/or who include Universign services as part of the services they offer their customers and who pass us the personal data of their users
The PDPP will apply regardless of how your personal data is collected.
The data that we collect from you depends on your use of the service(s) and may include:
• identity and contact details (surname, given name, sex, email address, phone number);
• your service login details (username and password);
• means of payment (bank details, credit card number);
• the information that you send to customer service;
• communication preferences (preferred language).
The data transmitted to us by our customers or partners depends on their use of the service(s) and may include:
• identity and contact details (surname, given name, sex, email address, phone number);
• your service login details (username and password);
• other data such as your username with our customer or partner;
• communication preferences (preferred language).
The data derived from the use of our services is collected automatically. This information depends on the way in which you interact with the service and may include:
• information about your computer and your connection environment, including IP address, technical identifier(s), error reports and performance data;
• usage data, such as the features you have used, the settings you have selected, the data on which you have clicked, including date and time, and pages viewed;
- geographic information for services based on IP address localisation.
Cookies
The cookie policy that supplements this policy is available at the following address: www.universign.com/fr/politique-de-gestion-de-cookies/.
Use of personal data
According to your use of the service(s), personal data is used by Universign as part of the services it provides to:
- create your Universign account and manage your access to the service(s)
- allow you to use one or more of our services
- preserve proof of electronic transactions carried out through Universign
- allow you to request information about Universign services
- process and respond to a request, an order or a subscription to a service or services
- provide technical support and allow for the proper functioning and security of the service
- improve our services, adapt their features and develop new ones
- offer personalised content to offer the most relevant services and/or those which meet your expectations
- suggest offers that are inherent to one or more services that we market
- notify of any modifications, updates and other announcements concerning the services
- comply with our legal obligations, resolve any potential disputes and enforce our contracts
Personal data preservation period
All personal data collected is preserved for a limited duration according to the purpose of the processing and the preservation period provided for by the legislation applicable to our services.
| Purposes | Duration of data preservation before its deletion |
| To create your Universign account and manage your access to the service(s) | 12 months after the end of relations with Universign |
| To allow you to use Universign services | 12 months after the end of relations with Universign |
| To create your electronic signature or seal certificates | 17 years after the date of issue of the certificate |
| To preserve proof of electronic transactions for the purposes of audits carried out by supervisory bodies or to be produced in case of dispute | From 15 to 99 years according to the applicable contractual conditions |
| To allow you to request information about Universign services | 12 months after the end of relations with Universign |
| To process and respond to a request or a subscription to a service or services | 12 months after the end of relations with Universign |
| To provide technical support and allow for the proper functioning and security of the service | 12 months after the end of relations with Universign |
| To improve our services, adapt their features and develop new ones | 12 months after the end of relations with Universign |
| To offer personalised content to offer the most relevant services and/or those which meet your expectations | 12 months after the end of relations with Universign |
| To suggest one or more services marketed by Universign | 36 months after the end of relations with Universign |
| To notify of any modifications, updates and other announcements concerning the services | 12 months after the end of relations with Universign |
At the end of the indicated periods, the data will, if necessary, be archived for a duration which shall not exceed the periods provided by the applicable archiving regulations.
Third party communication, subcontracting and transferring personal data
Outside of the situations provided for by this PDPP, your personal data will never be sold, shared or communicated to third parties by Universign.
If you access the service(s) through a subscription administered by your organisation, your personal data and certain user data collected by the service may be accessible and shared with the administrator of your organisation in order to analyse use, manage service subscriptions or provide technical assistance.
Your personal data may be communicated to sister companies or subsidiaries as well as service providers acting under our instruction for the sole purpose of carrying out the processing for which it was initially collected. In this case, these third parties are personal data sub-processors within the meaning of the applicable regulation, acting under our instruction and on our behalf. They are required to process said data in accordance with this Policy. They are not authorised to sell or disclose this data to third parties.
To ensure the provision of Universign services across the world, and in particular the delivery of SMS messages containing the confidential codes which allow users of the electronic signature service to identify themselves, personal data may be transferred to our sub-processors located outside of the European Union.
In these circumstances, we ensure that we can guarantee sufficient protection for data transfer. Within the context of these measures, we are particularly able to finalise any contractual clauses approved by the European Commission with our sub-processors, and implement all technical or organisational measures that seem relevant to us.
As part of an internal audit, a request from an administrative or judicial authority, or a pre-litigation or litigation procedure, some of your personal data may also be shared with other users of the service to confirm or demonstrate the validity of the electronic signatures you have created through the Universign service. In this case, only the relevant personal data required to prove the validity of the transaction will be transmitted.
Furthermore, if you access Universign services via a third party, your personal data may be shared with the publisher of this third-party application, to allow them to provide you with access to the application, under the terms of a licence and confidentiality policy specific to this publisher.
Finally, personal data may be disclosed if we are required to do so by law or by a regulatory provision, or if this disclosure is necessary as part of a legal or administrative request.
Security and confidentiality
Our main concern is to preserve the quality, confidentiality and integrity of your personal data.
To ensure the security and confidentiality of the personal data we collect, we make use of both technical means (networks protected by standard devices such as firewalls, network partitioning, adapted physical hosting, etc.) and organisational means (strict, nominative access control, procedures, security policy, etc.).
During the processing of your personal data, we take all reasonable measures to protect it from loss, misuse, unauthorised use, disclosure, alteration or destruction.
All those with access to your personal data are bound by an obligation of confidentiality, and will be subjected to disciplinary measures and/or incur liability if they fail to comply with these obligations.
Despite our efforts to protect your personal data, we alone cannot guarantee the infallibility of this protection, given the inevitable risks which escape our control. Furthermore, if you have a Universign account, it is important that you exercise caution to avoid all unauthorised access to this account, by keeping your password confidential and ensuring that you log out if using a shared computer.
Right to access, rectification, erasure and objection
Whenever we process personal data, we take all reasonable measures to ensure the accuracy and relevance of your personal data in relation to the purposes for which it is collected and guarantee that you may exercise your rights on this data.
You have a right to access your data, to rectify it if it is incorrect and, in the circumstances and within the limits provided for by the regulations, may exercise your right to object to or delete some of this data, to limit its use or to request its portability with a view to its transmission to a third party.
If you need to update your data, you can do this by contacting the Data Protection Officer at the address:
Universign – Data Protection Officer
7 Rue du Faubourg Poissonnière 75009 Paris.
The signed request must be delivered by post with acknowledgement of receipt and should include a copy of your identity document. This allows us to make sure that it is you who has made this request.
Data Protection Officer
Universign has designated a Data Protection Officer responsible for monitoring the protection of personal data and compliance with legal and regulatory requirements in this respect.
For any additional information or any complaint regarding the application of the Personal Data Protection Policy, you may contact the officer at: privacy@universign.com
In case of any unresolved issues with regard to the use of your personal data, you may refer the matter to the CNIL (French Data Protection Agency).
Changes to the Personal Data Protection Policy
This Policy may be updated according developments in the Universign service or if required by regulations.