Oris Connect | ORIS data protection and privacy

Last updated on: 2024 June 26

The purpose of this privacy policy is to detail the conditions under which ORIS, a société par actions simplifiée (simplified joint stock company), registered in the Paris Trade and Companies Register under number 903 014 108, whose registered office is at 54/56 avenue Hoche 75008 Paris ("Oris", "our" or "we") carries out the processing operations described below, in its capacity as controller of your personal data.

We undertake to process your personal data in compliance with the applicable regulations , and in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and Law No. 78-17 of 6 January 1978 on data processing, files and freedoms, in its updated version (hereinafter together the "Personal Data Regulations").

1. DESCRIPTION OF THE PROCESSING OF YOUR PERSONAL DATA

1.1 PERSONS CONCERNED

The data subjects of the processing operations we carry out are (hereinafter together "the Data Subjects", "your", "you"):

Any user of our website https://oris-connect.com/ (the "Site") ("User");
Any customer, prospect of Oris, including their employees and/or representatives (the "Customer") and as the case may be any user of our platform https://platform.oris-connect.com
Any ORIS supplier, subcontractor and/or other business partner, including their respective employees and/or representatives (the "Partner").

1.2 HOW WE COLLECT YOUR PERSONAL DATA

We collect personal data about you (i) directly from you, or (ii) indirectly from the following sources:

Our customers and/or suppliers with regard to their employees and/or representatives,
Our service providers,
Our business partners.

We only collect information we need. Note that some information is required and if it is not provided, we may not be able to conclude a contract with you, and/or provide you with the services to which you wish to subscribe, in particular when :

the processing of the personal data in question is necessary in order to comply with a legal obligation or to perform the contract to which you are party, or
this is necessary for the purposes described in the table above.

In the event that you communicate to us personal data of individuals with whom we have no direct relationship, you are invited to communicate to them the present Privacy Policy prior to this communication.

1.3 COOKIES

During your browsing on our Site, information relating to the navigation of your terminal (computer, tablet, smartphone, etc.) may be recorded in text files called "cookies", installed on your browser. Cookies are used to recognize your browser for the duration of the cookie's validity, and to send certain information back to the Site (e.g. your choice of language).

To know more about the cookies, please check our Cookie Policy https://www.oris-connect.com/legal/cookie-policy.

1.4 CATEGORIES OF PERSONAL DATA PROCESSED

In the context of this policy, the term "personal data" refers to any information that directly or indirectly identifies You as a natural person.

We collect the following categories of data :

Identification data (surname, first name, IP address, region or country)
Contact details (business email address, business telephone number)
Professional data (job title/functions)
Connection data (traces, logs)
Data relating to cookies and other trackers (as detailed in the paragraph dedicated to cookies and trackers above).
Payment and Invoicing Data (credit card information, SEPA bank, invoices) as the case may be,
Any other personal data that you may provide to us directly in connection with this purpose.

If we collect "sensitive" data within the meaning of the Personal Data Regulation concerning you; we will process such data in accordance with the conditions laid down therein.

1.5 PURPOSES, LEGAL BASES AND RETENTION PERIODS ASSOCIATED WITH THE PROCESSING OPERATIONS

We implement various processing your personal data, whose purposes, legal bases, and associated retention periods are detailed in the table below:

1.5.1 Site visitors

Purpose of processing	Legal basis	Shelf life
Communications management sent to from the Site, and the follow-up of our exchanges	Our legitimate interest is to be able to process your requests for information which includes receiving and keeping records of communications received, managing and taking all necessary steps to assert or defend any legal claim made by, against or otherwise involving you.	For as long as it takes to process your request and/or question, and no longer than 1 year.
Newsletter dispatch	Consent	3 years from the date of Your consent or our last contact with You
Site management and security	Legitimate interest	1 year from the date of collection.

Information on the activity of the Site and your use of our services is collected through cookies. To know more about it, please check our Cookie Policy https://www.oris-connect.com/legal/cookie-policy or the paragraph on Cookies hereinabove.

1.5.2 If you are an ORIS customer or prospect

Purpose of processing	Legal basis	Shelf life
Prospect relationship management
Promotion of our services and management of exchanges with you	Pre-contractual measures	3 years from collection by or last contact with you
Customer relationship management
Due diligence & reporting - (e.g. anti-money laundering controls and/or anti-corruption)	Compliance with legal obligations where applicable / Legitimate interest	Duration of our contractual relationship, except where legal and/or regulatory exceptions justify the application of a longer or shorter duration.
Provision of services and negotiation, performance and monitoring of contracts concluded with you	Pre-contractual measures and/or contract performance	Duration of our contractual relationship, and 5 years from the end of this relationship
Billing management (editing and receiving invoices, managing payments and accounting entries).	Compliance with our legal obligations.	10 years from the end of the financial year.
Customer service / Complaints management	Execution of pre-contractual measures and/or performance of the contract concluded with you.	3 years from our last contact
Creation and management of the customer database, in order to establish relevant organization charts, and keep minutes of meetings and other notes.	Legitimate interest to take necessary measures to facilitate the management of our customer base.	Duration of our contractual relationship, and 5 years from the end of this relationship
Analytics of the customer database and the subscribed services.	Legitimate interest in knowing customers, their interests and offering complementary services.	Duration of our contractual relationship, and 5 years from the end of this relationship.
Customer satisfaction surveys and feedback - (e.g. telemarketing campaigns, online surveys, etc.)	Our legitimate interest in understanding what you think about our services and enabling us to improve them	For the duration of the survey and/or opinion on our services or until You exercise Your right to object.
Meeting our legal and regulatory obligations & defending our rights
Public and judicial authorities in order to comply with requests from public, judicial governmental authorities and/or any other competent regulatory authority.	Compliance with our legal obligations	For the duration of the proceedings before the authority concerned.
Defend our rights in order to establish and retain any evidence necessary to defend our rights in connection with claims or actions brought against us by you.	Legitimate interest in defending our rights and taking all necessary measures to prevent and manage any pre-litigation or litigation.	For the duration of the applicable legal requirements or for the duration of the dispute, as the case may be.
Marketing
Sending promotions and offers by electronically, for products and/or services similar to those you have already purchased and/or subscribed to.	Legitimate interest in undertaking appropriate promotional activities. In any event, you have the possibility of unsubscribing from any subsequent communication by clicking on "Unsubscribe" when you receive the corresponding communication or by using the contact details indicated in this privacy policy.	3 years from your last activity or until You exercise Your right to object
Organization of competitions - Please note that your participation in competitions implies your acceptance of their rules and regulations.	Execution of pre-contractual measures and/or performance of the contract concluded with you.	3 years from game start date

1.5.3. If you are a supplier, subcontractor or any other business partner of ORIS

Purpose	Legal basis	Shelf life
Managing our business relationships
Carrying out due-diligence and reporting (e.g. anti-money laundering and/or anti-corruption controls).	Compliance with our legal obligations where applicable / Legitimate interest to take the necessary measures to protect our activities, preserve our business operations and develop them.	Duration of our contractual relationship, except where legal and/or regulatory exceptions justify the application of a longer or shorter duration.
Management of our contractual relationship and negotiation, execution and follow-up of contracts concluded with us; management of our exchanges	Execution of pre-contractual measures and/or execution of the contract concluded with you.	Duration of our contractual relationship, and 5 years from the end of this relationship
Creation and management of the Partner database to store meeting minutes and other notes.	Legitimate interest to take any measure necessary to facilitate the relationship with our contractual partners.	Duration of our contractual relationship, and 5 years from the end of this relationship
Billing management - (issuing and receiving invoices, managing payments and accounting entries)	Meeting our legal obligations	10 years from the end of the financial year.
Meeting our legal and regulatory obligations & defending our rights
Defend our rights - in order to establish and retain any evidence necessary for the defense of our rights in connection with any claims or actions brought against us, (ii) to establish periodic reports at ORIS Group level on this subject, and to ensure that you have the appropriate qualifications (supplier training records).	Legitimate interest in defending our rights and taking any necessary measures to prevent and manage any pre-litigation or litigation.	For the duration of the applicable legal requirements or for the duration of the dispute, as the case may be.
Public and judicial authorities in order to comply with requests from public, judicial, governmental or/and any other regulatory authority.	Compliance with our legal obligations.	For the duration of the proceedings before the authority concerned.
Marketing
Sending promotions and offers by electronic means, for similar products and/or services - in order to offer you newsletters promoting s services and products similar to those you have purchased and/or subscribed to. We also process your personal data to decide which marketing communications to send you. In general, these decisions have no legal effects on you or do not significantly affect you. In cases where the decisions would result in such negative effects for you, you will be provided, prior to processing, with details of the logic involved, as well as the significance of the possible consequences of such processing. In such cases, you have the right to obtain human intervention, express your views and consent to such decisions. For example, we may tailor the marketing communications you receive according to the sector of activity you activate, the function and the preferences you have selected.	Our legitimate interest in undertaking appropriate promotional activities. In any case, you oust yourself from any further communication, by clicking on "Unsubscribe" when you receive the corresponding communication or by using the contact details indicated in this privacy policy. In deciding which marketing communications are appropriate for you, we rely on our legitimate interests in undertaking appropriate promotional activities. However, where we are required to do so by applicable law, we will obtain your express consent to such segmentation, for example, in cases where the decisions taken as a result of the segmentation process would have legal effects concerning you or would significantly affect you.	3 years from our last contact or until Your consent is withdrawn

2. RECIPIENTS OF YOUR PERSONAL DATA

To achieve the above purposes and only to the extent necessary for their pursuit, we may communicate your personal data to the following recipients:

Within the ORIS Group

- - Any entity of the ORIS group, including its subsidiaries;
  - ORIS employees whose duties, functions and tasks justify them processing your personal data for the purposes set out above.
Outside the ORIS Group
- - The public authorities, government agencies, the government services, or any other authorities competent within the scope of its attributions;
  - Third-party service providers and subcontractors that ORIS may use to manage its relationship with you (payment service providers; analysis service providers; IT support, storage and hosting service providers; travel and accommodation service providers; benefits providers, payroll managers; human resources service providers; agents, consultants, subcontractors and other third parties that provide services to ORIS; professional organizations (unions));
  - Accountants, lawyers and legal and financial service providers; tax and financial service providers, brokers, banks, insurance agents
  - Any other person or entity to whom the data must be disclosed at your request;
  - In the event of a project to raise funds, acquire or sell an ORIS activity or assets by any means whatsoever, including by selling the company carrying on this activity or owning these assets, the potential acquirer(s) and their advisors as part of an audit preceding the operation. As part of any of the above activities, your personal data may form part of the transferred assets and will therefore be processed by the acquirer who will act as the new data controller in accordance with its own privacy policy.

We disclose our personal data to the above-mentioned recipients, provided that the latter are subject to an appropriate obligation of confidentiality:

If we are required or permitted to do so by law or in connection with legal proceedings, for example to enforce a court order or to comply with a request made by a law enforcement agency;
If we believe that disclosure is necessary or appropriate to prevent physical harm or financial loss;
As part of an investigation into actual or suspected fraudulent or other illegal activity;
If we sell or transfer our business or our assets, in whole or in part (including reorganization, dissolution or liquidation of the company);
If we consider it necessary or appropriate for our legitimate interests, provided that such disclosure does not adversely affect the interests, freedoms or fundamental rights of the persons concerned.

3. YOUR RIGHTS CONCERNING THE PROCESSING OF YOUR PERSONAL DATA & HOW TO EXERCISE THEM

In accordance with the Personal Data Regulation, and to the extent permitted by the law applicable to you, you have the right to access, rectify, delete, object in certain circumstances, limit the processing, port your personal data and, where applicable, give instructions concerning the fate of said data after your death.

In addition, you may withdraw our consent at any time, in cases where it has been requested.

Right of access: We allow you to access your personal data collected and processed by ORIS. You will be provided with all relevant and legally required information and a copy of your personal data.
Right of rectification: You may ask us to rectify any inaccurate or incomplete personal data.
Right to erasure: Allows you to ask us to delete your personal data under the conditions set out in the Personal Data Regulation (for example, if the data is no longer necessary for the purposes for which it was collected), except where the law requires us to keep it for a specific period, or where it is necessary for the performance of the contract between us, or for a compelling legitimate reason such as defending a legal claim.
Right to limitation: Allows you to ask us to restrict the processing of your personal data, not to use your personal data, in the conditions set out in the Personal Data Regulations.
Right to object: may object, at any time, to the processing of your personal data under the conditions provided for in the Personal Data Regulations, and in particular when it is based on our legitimate interests or is carried out for the purposes of electronic commercial prospecting. In all other cases, however, we will weigh our interests against your particular situation in order to decide whether or not to comply with your request. Consequently, any such request should be accompanied by explanations to clarify the reasons, if any.
Right to portability: Allows you to receive your personal data, in a structured, commonly used and machine-readable format, or to transmit this data to another data controller, under the conditions set out in the Personal Data Regulation (i.e. when the processing is based on your consent or the performance of the contract concluded with us and only if the processing is carried out by automated means.
The Right to specify what happens to your personal data after your death. You also have the possibility of defining general or specific directives concerning the manner in which you wish your personal data to be exercised after your death, under the conditions provided for in the Personal Data Regulations.

You can exercise your rights and find out more about the processing of your personal data by sending us an e-mail specifying (i) the right you wish to exercise, (ii) the personal data concerned by your request and (iii) your contact details (full name and e-mail address) to the following address: hello@oris-connect.com .

You also have the right to lodge a complaint with the competent data protection authority.

In France, the data protection authority is the Commission Nationale de l'Informatique et des Libertés – CNIL (3 place de Fontenoy - TSA 80715 - 75334 Paris cedex 07 - telephone: 01 53 73 22 22).

4. TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN UNION

For the purposes of our business, we reserve the right to transfer certain personal data outside the European Union, for example if we use a subcontractor whose servers are located outside the European Union.

If the country receiving personal data does not benefit from an adequacy decision from the European Commission and does not present an adequate level of data protection, we make the following commitments:

Adopt appropriate data protection safeguards, and in particular Sign and apply the latest version of the European Commission's Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council;
Assess the recipient country's data protection legislation and, should this assessment show that the legislation compromises the effectiveness of the standard contractual clauses, adopt additional protection and security measures to protect the personal data transferred.

5. SECURITY

We implement appropriate technical and organizational security measures to preserve the confidentiality and security of the personal data we process and to prevent their unauthorized destruction, loss, alteration or disclosure.

When we use subcontractors, we undertake to contractually impose on them security guarantees like those we implement to protect your personal data, and we reserve the right to audit them to ensure compliance with their obligations.

6. UPDATE

We may modify, supplement or update this privacy policy at any time, in particular in order to take into account legal, regulatory and/or jurisprudential developments and/or changes in the way we carry out our activities or the implementation of new processing.

ORIS Privacy Policy