Privacy Policy

1. Preamble and purpose

In the context of the management of the website accessible at https://www.sfa-enviro.com/ (the “Site”), SFA enviro, the data controller (“we”, “us”, “our”) processes personal data of the users of the Site (the “Data Subjects”).

We undertake to process the personal data of the Data Subjects in accordance with the applicable regulations, and in particular Regulation No. 2016/679 (EU) of 27 April 2016 known as the General Data Protection Regulation (“GDPR”), the French Data Protection Act of 6 January 1978 in its updated version (“LIL”) (together, the “Applicable Regulations”).

In this respect, we undertake to respect our obligation of transparency and information towards the Data Subjects by making available to them the present privacy policy, which aims to inform them about the characteristics of the processing of personal data that we implement in the context of the use of the Site, and about the rights they have in this respect.

2. Definitions

Terms beginning with a capital letter are either defined herein or have the meaning given to them by the Applicable Regulations, and in particular the GDPR, such as, in particular, the terms “Personal Data”, “Processing”, “Data Subjects”, “Controller”, “Subprocessor”, “Recipient” or “Data Breach”.

3. Treatment characteristics

The Processes that we implement from Data Subjects’ Data are presented in the following tables.

3.1 Contact form

Purpose of the Processing	Management of contacts by and with Concerned Persons
Legal basis of the processing	Legitimate interest / Pre-contractual measures
Category of Personal Data	data relating to identity (surname, first name) professional data (company) contact data (email address, phone number) connection data (traces, logs) any other data that may be communicated by the Person Concerned in his/her message
Duration of treatment	1 year from collection 3 years for personal data relating to a prospect, from the date of their collection or the last contact from the prospect.Conformément à l’article 13 du RGPD, pour chaque formulaire disponible sur le site interne et pour la newsletter, il convient d’ajouter une mention d’information concernant le traitement des données personnelles.

In accordance with Article R.10-13 of the French Post and Electronic Communications Code, which stipulates that connection data must be kept for a period of one year from the date of recording.

3.2 Quote request form

Purpose of the Processing	Management and follow-up of prospects and their requests for quotes
Legal basis of the processing	Pre-contractual measures
Category of Personal Data	data relating to identity (surname, first name) professional data (company) contact data (email address, phone number) connection data (traces, logs) any other data that may be communicated by the Person Concerned in his/her message
Duration of treatment	3 years from their collection or last contact with the prospect/customer.3.3 Dépôt de cookies

For more information on the treatment of your data in the context of the deposit of cookies and other tracers, please refer to our Cookies Policy

3.4 Management of possible disputes, litigation and pre-litigation

Purpose of the Processing	Arrangement of evidence in the context of a possible dispute Management of exchanges in the event of a dispute Drafting of the necessary documents in case of litigation or pre-litigation.
Legal basis of the processing	Legitimate interest
Category of Personal Data	All of the above-mentioned Data as soon as they are necessary for the management of the dispute.
Duration of treatment	Retention until all avenues of appeal have been exhausted (contentious).

4. Recipients of personal data

We may disclose the Personal Data of Data Subjects to Authorized Recipients who are subject to an appropriate obligation of confidentiality, which may be internal or external as appropriate:

The internal recipients are as follows:
- The members of our staff whose duties, functions and missions justify that they process the Personal Data of the Data Subjects (e.g. communication department, marketing department, customer and prospect relations department, IT department) for the sole purposes provided for in this Privacy Policy and within the framework of the technical and organisational measures that we implement to preserve the confidentiality and security of the Personal Data detailed below;
The external recipients are :
- SFA Group subsidiaries and the parent company in their capacity as subcontractors whose duties, functions and tasks justify their processing of Data Subjects’ Personal Data (e.g. SFA Tech in charge of IT services at Group level).
- The service providers or subcontractors that we may use in the context of the Processing (e.g. hosting service provider, call centres, emailing);
- Entities in charge of advice, audit and financial control (auditor, lawyer) ;
- Administrative or judicial authorities within the scope of their powers ;
- In the event of a proposed fund raising, acquisition or disposal of a business or assets by any means including by disposal of the business carrying on that business or owning those assets, the potential acquirer(s) and their advisors as part of a pre-audit of the transaction. In the event of an acquisition by a third party, Personal Data will form part of the transferred assets and as such will be processed by the acquirer who will act as the new Data Controller under its own privacy policy.

5. Rights of the persons concerned

5.1 Statement of Rights

In accordance with the applicable Regulations, Data Subjects have the following rights with respect to their personal data:

A right to ask us for confirmation that their data is being processed, to obtain information on the characteristics of such processing, to access such data and to request a copy (right of access and copy);
A right to rectify or complete any data concerning them that is incorrect or obsolete (right of rectification);
A right to withdraw their consent at any time provided that the Processing concerned is exclusively based on this legal basis (right to withdraw consent);
A right to object to the Processing of their Personal Data on grounds relating to their particular situation and to obtain their erasure, in which case we will grant this request unless the Processing is justified on legitimate and compelling grounds (right to object on legitimate grounds and right to erasure) ;
A right to obtain the limitation of the Processing temporarily in case of a request for rectification or opposition on legitimate grounds while we analyse the request, which in practice means that the Personal Data is kept, but we cannot process it (right to limitation) ;
A right to data portability, i.e. a right to obtain from us the return of the personal data they have communicated in a format of common use when the Processing is automated and based on consent or on the execution of a contract;
A right to formulate instructions concerning the Processing of their data after their death and to ask us to retain, delete or communicate their data to an expressly designated third party, it being specified that once we become aware of the death of a Data Subject and in the absence of instructions from him or her, he or she undertakes to destroy his or her Personal Data, unless its retention is necessary for evidentiary purposes or to comply with a legal obligation (post-mortem right)

5.2 Terms and conditions for exercising rights

If the Data Subject wishes to exercise any of the above rights, he or she may contact us via our form on the contact page.

The Data Subject’s request must be made exclusively by the Data Subject (unless a mandate is given to a third party in due form) and must be as clear and exhaustive as possible to enable us to respond as quickly as possible, within one to three months depending on its level of complexity.

We may ask the Data Subject to complete his or her request if it is not sufficiently precise, if the right he or she wishes to exercise is not easily identifiable, or if he or she is unable to establish his or her identity, in which case we may ask him or her to provide additional information, including proof of identity, which will be deleted as soon as possible after verification of his or her identity.

In addition, we will not be obliged to respond to the Data Subject’s request if it is manifestly unfounded or excessive, and in particular if the request is repetitive or too complex to process and would have the purpose or effect of destabilising our activities.

6. Security

We implement appropriate technical and organizational security measures to preserve the confidentiality and security of the Personal Data we process and to prevent its unauthorized destruction, loss, alteration or disclosure.

As an example, the following measures have been put in place and are documented in a safety assurance plan:

Hosting of Personal Data on servers located within the European Union on the soil of a member country;
Awareness of our staff who process Data Subjects’ Data;
User authentication features with personal and secure access via strong, confidential and frequently changed logins and passwords;
Procedure for managing authorizations (definition and review of authorization profiles according to the profile of the users of its information system, removal of obsolete accesses);
Access tracking, connection logging, incident management and, if necessary, encryption of certain Personal Data;
Regular implementation of internal audits and, if necessary, differentiated penetration tests to control and evaluate the effectiveness of the security measures in place;
Physical security of premises (codes, keys and access badges) and workstations (automatic session locking, antivirus and firewall).

Where we use subcontractors, i.e. service providers to whom we have delegated all or part of a Processing operation and who process the Personal Data of Data Subjects in accordance with our instructions, we undertake to require them to provide security guarantees equivalent to those we implement to protect their Personal Data and reserve the right to audit them to ensure compliance with their obligations.

In the event of a Data Breach, we undertake to notify the CNIL in the manner prescribed by the applicable Regulations and, if the said Breach poses a high risk to the Data Subjects, to notify them and to provide them with the necessary information and recommendations, if appropriate.

7. Updating of this policy

We may modify, supplement or update this policy at any time to take into account legal, regulatory and/or jurisprudential developments, changes in the characteristics of the Processing or the implementation of a new Processing.

8. Contacts

Concerned Individuals may direct any questions or complaints regarding this policy, or make recommendations or comments regarding this policy, in writing to us at the following address

– By mail : 41Bis Avenue Bosquet – 75007 PARIS

– By email via our form on the contact page

Data Subjects may also ask any question to the CNIL or lodge a complaint with the latter.