Privacy protection policy

Updated on 2024-02-22

As part of the use of the Application published by naaia (hereinafter the "Company"), personal data concerning you is processed.

The purpose of this personal Privacy policy (hereinafter referred to as the "Policy") is to inform you about how your data is used and what rights you have in this respect.

This Policy complies with applicable legal and regulatory requirements (together the "Regulations"):

  • (i) Law no. 78-17 of January 6, 1978 on data processing, data files and individual liberties;
  • (ii) Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data of April 27, 2016 (hereinafter referred to as the "GDPR").

1. Definitions

The terms used in this Policy have the following meanings:

  • « Application » : refers to the Naaia solution for compliance monitoring and risk management associated with the artificial intelligence systems designated by the Enterprise.
  • « Account » : refers to a personal access profile to the Application, restricted and reserved to each User upon authentication, and made available by the Company upon instruction from the Company.
  • « Company » : refers to the User's employer who provides the User with the Application.
  • « User » : refers to any User, natural person, who has an Account on the Application and wishes to use it for its intended purpose as defined the GCU, each User being strictly designated by the Company.

In addition, and in accordance with the Regulations, the following terms have the following meanings:

  • « Recipient » : means the natural or legal person, public authority, department or any other body that receives communication of Personal Data, whether or not it is a third party.
  • « Personal data » : means any information relating to an identified or identifiable natural person.
  • « Data controller » : means the natural or legal person, public authority, department or other body which, alone or jointly with others, determines the purposes and means of processing.
  • « Subcontractor » : refers to the natural or legal person, public authority, department or other body that processes Personal Data on behalf of the Data Controller.
  • « Processing of Personal Data » : means any operation or set of operations applied to your Personal Data.

2. Our commitments

The Company is committed to protecting your Data:

  • Personal Data is used solely for the explicit, legitimate and specific purposes defined in this Policy.
  • Only Personal Data that is strictly necessary for the purposes pursued is processed: the Company thus applies the concept of privacy by default, which protects you from any excessive collection of data.
  • Personal Data is not kept beyond the period necessary for the operations for which it was collected, taking into account the nature of the operations, or those provided for by the recommendations and guidelines of the Commission Nationale de l'Informatique et des Libertés (hereinafter "CNIL") or by legal and/or regulatory requirements.
  • Personal Data is not transferred. Only authorized Recipients within the strict framework of the purposes previously defined in the present Policy are likely to become aware of Personal Data.
  • The Company entrusts Personal Data to Subcontractors chosen on the basis of appropriate technical and organizational guarantees, in order to ensure the protection of Personal Data entrusted to them under the Company's instructions.
  • Users are informed in advance and on a regular basis, in a clear and transparent manner, in particular of (i) the purpose for which their Personal Data will be used, (ii) the optional or compulsory nature of their answers in the forms, (iii) the rights they have with regard to the protection of Personal Data and the procedures for effectively exercising these rights, and (iv) the Recipients.
  • Whenever required by Regulation, the User's explicit, informed, active and unequivocal consent is obtained for the processing of his/her Personal Data.
  • Appropriate logical, technical, organizational and legal security measures have been defined on the basis of a risk analysis of the various Personal Data processing operations concerned, and are implemented by the Company and its contracted Subcontractors to ensure the protection of Personal Data.
  • Whenever the risks presented by a processing operation so require, the Company has carried out an impact analysis on the privacy and protection of Users' Personal Data, in order to adopt concrete measures tailored to these risks and to manage them.
  • The Company and its Subcontractors are committed to monitoring any possible and exceptional violation of Personal Data and to taking all protective and corrective measures following a violation by informing the CNIL and, where applicable, the persons concerned.
  • The Company does not transfer any Data to a third country within the meaning of the Regulation in connection with the use of the Application.
  • All employees and contributors involved in the design and operation of the Application are made aware of the principles of personal Privacy Policy, through regular training adapted to their activity and responsibilities.
  • Employees have access only to the information they need for their work, and sensitive personal data is subject to specific authorizations and controls.

3. Origin of Personal Data

Users' Personal Data is collected directly from them when they create their Account and indirectly through the Company.

4. Personal data collected

Use of the Application implies the collection and processing of the following Personal Data:

  • Last name, First name
  • Title, Function
  • Professional e-mail
  • Connection data

5. Treatment description

Depending on the nature of the processing carried out in connection with the use of the Application, the Company may act as Data Controller and Subcontractor on behalf of the Company's partners.

5.1. Data processed by the Company as Data Controller
Purpose Legal basis Shelf life

Providing information on the Application

Legitimate interests (article 6.1 f) of the RGPD

If no

Account: 1 year from last e-mail sent

When creating a

Account: 5 years from last activity

Archiving: 5 years

Assistance in using the Application

Before the creation of the Account: Legitimate interest (article 6.1 f) of the RGPD)

After account creation :

Performance of the contract (article 6.1 b) of the RGPD)

5 years from last activity

Until the

Account

Archiving: 5 years

Account creation and management

Performance of the contract (article 6.1 b) of the RGPD)

Until deletion of the Account

Archiving: 5 years

Improved use of the Application

Legitimate interests (article 6.1 f) of the RGPD)

3 years from last activity

Claims and exercise requests management

Legal obligation (article 6.1. c) of the RGPD)

5 years from claim date

Archiving: 5 years

5.2. Data processed by the Company as a Subcontractor
Purpose Legal basis Shelf life

Using and maintenance of the Application

Performance of the contract (article 6.1. b) of the RGPD)

Active basis: duration required to fulfill legal obligation

Intermediate archiving: statutory limitation period

6. Recipients of Personal Data

Your personal data will only be used by the following people:

  • Members of the Data Controller's staff, specifically authorized and within the limits of their duties.
  • Specifically authorized staff of certified health data hosts, within the limits of their responsibilities, designated and under contract with the Data Processors.
  • Members of staff of subcontractors and technical service providers, specifically authorized, within the limits of their missions.
  • Persons authorized by law to act as third parties.
  • Members of the staff of subcontractors of data controllers, technical service providers, specifically authorized, within the limits of their missions.

7. What are the rights of the persons concerned?

7.1. User rights

In accordance with the Regulations, you have the following rights:

  • Right of access: you have the right to access the Personal Data that is the subject of Processing and, where applicable, to obtain a copy.
  • Right of rectification: you have the right to obtain from the Data Controller the rectification of Personal Data concerning you that are inaccurate and/or that they be completed if they are incomplete.
  • Right to erasure: you may request the erasure of your Personal Data as soon as possible, except where Processing is based on a legal obligation to which the Data Controller is subject.
  • Right to restrict processing: you may request that the Processing of your Personal Data be restricted, so that the Data Controller may retain this data, but may not use or process it.
  • Right to portability: you have the right to ask the Data Controller to send you your personal data in a structured, commonly used and machine-readable format (and/or the right to transfer this data to another Data Controller) if the Processing is based on the performance of a contract.
  • Right to object: Where the Processing of your Personal Data is based on a legitimate interest of the Data Controller, you may at any time object to further Processing for reasons relating to your particular situation.
  • Right to define the fate of Personal Data after death: you have the right to define your general directives concerning the conservation, deletion and communication of your Personal Data after your death. These directives may be registered with a trusted digital third party certified by the French Privacy Authority (Commission Nationale de l'Informatique et des Libertés). In the event of your death, and in the absence of any instructions from you, the Company undertakes to destroy your data, unless its retention is necessary for evidentiary purposes or to meet a legal obligation.

7.2. How to exercise your rights

When the Company acts as Data Controller, these rights may be exercised:

  • By e-mail to the contact e-mail address provided in the Application or at this e-mail address: dpo@naaia.ai.

Where the Company acts as a Subcontractor, these rights may be exercised directly with the Data Controller.

If, after contacting us, you feel that your rights have not been respected, you may lodge a complaint with the Commission nationale de l'informatique et des libertés :

  • Online via the online complaints service ;
  • By post, by writing to the following address CNIL - Service des Plaintes - 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07.

8. Safety measures

The Company undertakes to take all measures to ensure the security and confidentiality of your Personal Data.

In particular, the Company implements technical and organizational measures to prevent data from being destroyed, altered or disclosed to unauthorized third parties.

9. Policy modification

This Policy may be amended, supplemented or updated to take account of any legal, regulatory and/or technical developments.

In the event of substantial modification of the present Policy, the Company undertakes to inform Users by any appropriate means before the effective date,

Users are invited to consult this Policy regularly.

10. Contact us

If you have any further questions about the use of your Personal Data, you can contact us at the contact e-mail address provided on the Application or at this e-mail address: dpo@naaia.ai.