ERALYS E PROTEÇÃO DE DADOS PESSOAIS
Com sede e clientes na Europa, a Eralys está sujeita ao Regulamento Geral de Proteção de Dados (RGPD).
Porém, como Global Player, também podemos estar sujeitos a outras regulamentações internacionais e locais.
O RGPD entrou em vigor em 25 de maio de 2018. Certamente é o regulamento que protege a maioria dos indivíduos quanto aos seus dados pessoais.
O RGPD também se aplica a atores fora da Europa quando eles têm e processam dados pessoais de pessoas residentes na Europa. RGPD também se aplica a atores fora da Europa quando eles têm e processam dados pessoais de pessoas residentes na Europa.
A política de privacidade apresentada aqui faz parte dos nossos Termos e Condições de Serviço.
Para limitar os riscos de não conformidade com o RGPD com suas conseqüências e para um bom entendimento, usamos, na medida do possível, termos que são usados no RGPD, possivelmente complementados por outros requisitos e outros regulamentos que possam ser aplicáveis e listados abaixo com sua definição no contexto desta apresentação.
Dados pessoais:Relaciona-se a um indivíduo vivo identificado ou identificável. Informações diferentes, coletadas em conjunto, podem levar à identificação de uma pessoa em particular, também constituem dados pessoais.
Também não importa como os dados são armazenados - em um sistema de TI, por videovigilância ou no papel.
Dados sensíveis:Os seguintes dados pessoais são considerados "sensíveis" e estão sujeitos a condições específicas de processamento: dados pessoais que revelem origem racial ou étnica, opiniões políticas, crenças religiosas ou filosóficas, dados genéticos, biométricos, dados relacionados à saúde, vida sexual e orientação sexual.
Controlador de dados:O controlador de dados determina os propósitos para os quais e os meios pelos quais os dados pessoais são processados. Portanto, se sua empresa / organização decide 'por que' e 'como' os dados pessoais devem ser processados, é o controlador de dados. Os funcionários que processam dados pessoais em sua organização o fazem para executar suas tarefas como controlador de dados.
Processador de dados:O processador de dados processa dados pessoais apenas em nome do controlador.
Controlador de Dados Conjunto e Processador de Dados Conjunto:'Conjunto' significa quando uma ou mais pessoas físicas, jurídicas ou organizações juntas fazem o trabalho de Controlador / Processador.
Cliente:Nesta política de privacidade, significa o cliente da Eralys.
Contrato de proteção de dados (CPD):Significa o contrato ou qualquer ato de contrato que deve ser estabelecido entre o Controlador de dados e o Processador de dados.
Há situações em que uma entidade pode ser um controlador de dados, um processador de dados ou ambos.
No entanto, no caso de grupos de empresas, uma empresa pode atuar como processador de outra empresa.
No atual contexto e política, Eralys é ambos.
It is essential to distinguish two situations
Client is Data Controller
Client owning the data
Eralys is Data Processor
He provides the means and process Client's data
ISP is Joint Data Processor
He provides the basic technical infrastructure support that allows Eralys to deliver its services to the Client.
Eralys is Data Controller
Eralys owning the data
Eralys is Data Processor
He provides the means and process Eralys own data
ISP is Joint Data Processor
He provides the basic technical infrastructure support that allows Eralys to receive all the services she needs.
ERALYS as Data Processor
As Data Processor, there is no difference whether Eralys serves a third party, a Client or its own needs.
In fact, we use exactly the same technical infrastructure, more precisely our Information Management System (I.M.S.) with our Smart Hybrid Connectivity (SHC) eco-system.
And we apply the same security policy.
Eralys undertakes to process the personal data of the Data Controller for the sole purpose of the proper performance of the Services and according to its instructions.
Data hosted by the Data Controller as part of our Services remains the property of the Client / Data Controller.
We prohibit the resale of such data, as well as any use for commercial purposes (such as profiling or direct marketing activities).
Eralys informs the Client / Data Controller about the ISP(s) and data center(s) where his data are processed and stored.
The location of the data must comply with the applicable Data Protection Regulations. EU GDPR states that data of natural persons residing in the EU and processing must remain in the EU. Nevertheless, provided that the target country is recognized by the EU as applying equivalent protection conditions, they may be transferred to the said country.
Eralys will not change ISP and the location without prior notice to the customer.
Through Smart Hybrid Connectivity (S.H.C.), Eralys can offer the Client / Data Controller the possibility of integrating and exchanging data flows with its own information systems and applications (on request).
I.M.S. provides the Client / Data Controller with useful tools and services to enable them to manage and offer the data subject the means to validate their rights.
But it is up to the Client / Data Controller to define his policy and what means he intends to use, what services he wants to offer.
I.M.S. provides the Client / Data Controller with useful tools and services to enable them to inform, collect and manage data subject's consent or opposition, restrictions.
But it is up to the Client / Data Controller to define his policy and what means he intends to use, what services he wants to offer and to pay attention about compliance with Data Protection Regulations that apply.
Eralys Information Management System (I.M.S.) is designed natively to manage data protection.
In particular, I.M.S. manages the rights of users, profiles and roles up to the right to consult, create, modify, delete for each elementary data (file or field of a record). And user can decide to share or not her data and with whom.
Eralys undertakes to provide the data entrusted back to the Client / Data Controller at any time, in a format that ensures portability (csv files - Excel - sql - pdf). Where appropriate, data may be delivered in a specific format requested by the Client / Data Controller on accepted quotation.
All data of the Client will be permanently erased. The Client / Data Controller will be responsible for the retention of data during the applicable legal period.
I.M.S. is User / Profil / Roles based for processing and data management (Services).
It's only and full Client / Data Controller responsibility to define their policies and I.M.S. Users rights, the Eralys I.M.S. Services they select and to pay attention on Data Protection Regulation compliance.
Minimum one people must be appointed by the Client to be the I.M.S. Administrator (better two for service continuity). He will be the privileged contact of Eralys support team.
I.M.S. Administrators will have extended access rights to manage Users, rights, services, tools in accordance with Client's / Data Controller policies and requirements.
Eralys will only assist Client's I.M.S. Administrators.
I.M.S. provides all necessary means to organize and set up a help desk. It is the hub for service request management with follow-up, action tracking and he allows interaction and tracking between "internal" and "external" actors, departments.
Coupled with the event engine, the workflow and the e-mail system it is the ideal tool for incident management, alert and escalation management, service contract management (SLA), process management. But his possible jobs are very wide.
Eralys at his level uses this tool for his own help desk.
Client / Data Controller can use that tool in her I.M.S. system with their own contacts, their employees.
In collaboration with the ISP, Eralys, which administers its eco-system, monitors all services. Its objectives are multiple: detect incidents of production and security, monitor critical functions with a feedback to the supervision system, notify those responsible and initiate the appropriate procedures, ensure continuity of service in performing automated tasks, ensure the integrity of the monitored resources.
An incident management process is in place. It can prevent, detect and resolve these events in the service management infrastructures and the service itself.
The technical and infrastructure components are constantly updated by both the ISP and Eralys. A technological watch on the new vulnerabilities is ensured.
Eralys Platform Administrators must be able to intervene to ensure the delivery of the Services, to ensure the upgrades, to assist in the event of an incident, to manage and monitor the data save & restore and any automated process.
Platform administration access management is implemented:
All administration access to a system in production is carried out via a bastion.
Administrators connect to the bastions via SSH, using public and private key pairs. Use of default accounts on systems and equipment is prohibited) and access is with full tracing.
Administrators have an account dedicated exclusively to administration tasks, in addition to their user account (if apply)
Administrators are limited in number
Administrators in this role does not have access to application processing or application data (Client / Data Controller / User Services).
ISP's infrastructure management and support team must be able to intervene to ensure the servers, internet backbone, network installation, operation and maintenance. If needed they may assist Eralys. They never will have an access to Eralys platform's components and to the I.M.S. and S.H.C. eco-system. They never have an access to any Eralys and Client / Data Controler, Data subject information.
Eralys and its ISP have put in place specific monitoring methods for the detection of malicious acts.
Eralys and its ISP undertake to inform the Client / Data Controller as soon as possible following the analysis of a potential or reported detection.
A crisis management committee is planned.
I.M.S. provides the Client / Data Controller with all the necessary tools to inform people when the protection of their personal data has been violated.
As Data Processor, in accordance with the GDPR, Eralys may be required to make this information directly to the data subjects within 72 Hours.
Eralys has set up resources and provides services in the field of Cybersecurity (please look at Cyber Security section for more details).
These physical security measures are provided by the ISPs.
They concern the access controls of their premises by their staff and their subcontractors, as well as natural and environmental risks, activity/services continuity.
By working exclusively with top ISPs that have security certificates such as ISO 27000 and choosing only Class III and Class IV data centers, we are confident that we benefit from the best security measures.
Eralys makes available the information on the security measures implemented within the framework of the Services, so that the Data Controller can evaluate the conformity of these measures with the treatment of personal data.
Eralys provides the relevant information and documentation relating to the Services it provides and the security measures implemented to enable the Client / Data Controller to demonstrate compliance with the applicable safety regulations and more particularly with the data protection such as GDPR in EU countries.
Audits can be performed on request by internal or external auditors, subject to conditions defined in the Services contract or by a particular agreement.
Audits may concern Eralys and ISP(s) but are limited to the scope of the Client / Data Controler.
An information system security policy (ISSP) is implemented. It is updated at least every year or in the event of major changes that affect its content.
Eralys ensures that its ISPs, as hosts, providers of basic infrastructure and related services, meet the highest level of security requirements and are consistent with its security policy and requirements of its Clients and Data Controllers.
Eralys only works with the top global and local ISPs and only use Class III and Class IV data centers.
ISO/IEC 27000 standart is mandatory and PCI-DSS (for payment systems), SOC1 type II SOC2 type II and HDS (Healthcare Data System) certificates and more of ISPs are available.
Eralys exclusively uses servers that are entirely dedicated to it and that it administers itself.
The servers are distributed in different sites.
On request, Client / Data Controller can have their own dedicated server(s), their "private" environment.
Eralys defines and manages its own technical and technological architecture that is based on Open Source components and is commercially identified as I.M.S (Information Management System) and S.H.C. (Smart Hybrid Connectivity) and constitutes the Eralys eco-system.
Eralys use reserved IP with Fail Over and all connexions to the servers and applications, services, are encrypted. Client/User connexions to Eralys Servers and applications are encrypted.
Subject to the capabilities of the ISP, Eralys implements its own Virtual Private Network (VPN) between its servers. A specific VPN for the Client can be set up. Also a PoP connection with the Client's IT site for system integration can be implemented, if local conditions permit.
Services continuity of infrastructures (availability of equipment, applications and operating processes) is ensured by Eralys and the ISP.
ISP assumes standard Data Center Class III and Class IV continuity measures for basic infrastructure (server, Internet network).
Eralys assumes I.M.S. and S.H.C. services continuity:
- Redundancy of equipment and servers
- IP Fail Over
- Raid Disks
- servers distributed in different data centers and distant
- backup policy with remote storage
It is the responsibility of the Customer / Data Controller to define its own policy and service continuity requirements and then to choose the necessary Services from Eralys.
Eralys will submit a quotation and if it is accepted will implement it.
Client as Data Controller
If the Client is Data Controller, it's up to him to manage the relationship with his contacts, to define and implement his own personal data management policy.
Eralys as his Data Processor assists the Client as Data Controller by providing him with means and services that will help him demonstrate that he meets the requirements of the regulations for the protection of personal data, in particular the EUGDPR.
Caution: Some services specifically developed for a Client or that use older components and infrastructure do not provide the Client (Data Controller) with the facilities or tools that they may be required. Thank you to consult us.
Eralys and the Client (the Data Controller) sign a Data Protection Agreement.
The Data Controller must agree Eralys as his Data Processor.
Such agreement will be a part of Eralys General Contract of Services.
Such agreement must be signed for compliance with EU General Data Protection Regulation. Eralys will do it for all Clients adapted to any particular regulation which applies.
Eralys informs the customer about the ISP(s) and data center(s) where his data are processed and stored.
The location of the data must comply with the applicable Data Protection Regulations. EU GDPR states that data of natural persons residing in the EU must remain in the EU. Nevertheless, provided that the target country is recognized by the EU as applying equivalent protection conditions, they may be transferred to the said country.
Eralys will not change the location without prior notice to the customer.
The type of Personal Data and the categories of data subjects are determined and controlled by the Client / Data Controller, in its sole discretion.
The Customer is solely responsible for the choice of Services.
The Client must ensure that the Services chosen have the characteristics and conditions required in view of the processes, as well as the type of Personal Data to be processed in connection with the Services, including but not limited to where the Services are used to process Personal Data subject to specific regulations or standards (for example in some countries, health data or banking data).
A risk assessment of the personal aspects of natural persons and anything that could significantly affect the data subject and the handling of particular categories of sensitive data or data will be carried out.
Eralys as Data Controller
This is typically the case when Eralys collects certain information concerning you or relating to your employees (identity and contact details,...) in example for service contract, support services, payments and so on.
Since 2005, Eralys processes the personal, sensitive and strategic data of international financial, industrial and commercial clients. We know the value of information, the strategic importance of confidentiality, as well as the transparency for trust, and the need for sharing.
The challenge, the major difficulty is to be able to control and manage a very tenuous balance between protection-confidentiality (the private, guarantor of freedom, independence) and communication-sharing (the public, necessary for our development).
As a service provider we are finally a trusted third party, custodians of important and valuable things. Conscious of our role and the trust that our interlocutors give us, we have the greatest respect for the people and our customers, suppliers and partners, information.
That's why our approach, our design is based on three separate pillars: information - treatments - communication.
And that we have decided to focus our services on the user (the person) who has needs, rights, responsibilities, but also roles, tasks and communication needs within an organization and society in general.
We have created an eco-system for information management (the "data" is an IT restrictive word) with I.M.S. (Information Management System) and S.H.C. (Smart Hybrid Communication) for communication.
In I.M.S. basically it's the User who has control over the information he creates in the system, and each user decides for himself what he wants or needs to share and when and with whom. Each piece of information is attached to a User or a group of Users responsible for the Information.
This direct, permanent, visible and global empowerment of Users in the eco-system is the best guarantor of the protection and use of information. Naturally for private, personal data, but also in general all the information.
And we go further because our model is totally open. Indeed, with I.M.S. and S.H.C. if desired, it does not matter if a person, an entity, a group is "internal" or "external", is member or not, whether the information is: in a tool, application, system, format, location or an other one, the eco-system can expand to and the I.M.S. becomes in a way the integrator, the aggregator, a "universe".
For the information itself, from the technical point of view, and to the extent that its management and storage is entrusted to us, we protect the data using tools and components of the open software community and we distribute them on several disks, servers and also physically on several sites.
And as we are global, we reason and apply these principles, these rules, this philosophy on a general and global scale. What about, for example, an attack or a climatic event that neutralizes a country, a continent or a dominant actor that imposes its law, an employee or a group of employees or a supplier, a hacker takes you in hostage, a key player disappears or takes control ?
In a globalized, interconnected and interdependent world, engaged in a profound economic, social, political and generalized and permanent instability, increasing conflicts, spreading terrorism, changing climate ... we need to adapt and to prepare for any eventuality.
For us it's now mandatory and Eralys acts and helps, so we created a Cybersecurity platform and offer specialized Services
Warning: are excluded from the scope here presented the information and data owned by users of our Eralys Services (Eralys acting only as Data Processor).
Note: also, please read our Eralys as Data Processor section which contains important informations
- to limit collection of personal data to those strictly useful for the sole purpose of the proper performance of the Services and for professional, commercial, business, projects relationship management in the framework of support, service request, request for quotation, subscriptions and online registration, payments, administrative and legal needs, quality improvement, human resources management and still for respect its own legal obligations
- do not use the data collected for purposes other than those for which they are collected
- not to collect and use the data for profiling purposes in order to carry out mass marketing, advertising campaigns or personally targeting the individuals whose information we hold
- not sell or transfer the information to third parties other than related companies or group members
- keep personal data for a limited and proportionate period. For example, the data processed for the purpose of managing the relationship between the customer and Eralys (surname, first name, postal address, e-mail, etc.) are kept by the company during the entire duration of the contract and then following period still for respect Eralys own legal obligations. At the end of this time, they are deleted on all media and backups
- to treat the personal data of all people in the same way, regardless of the nature, type, level and purpose of the relationship.
Whenever Eralys collects or receives personal data, the natural person concerned will be notified with a reminder of his rights and, where appropriate, a request for his consent. For example I.M.S. will automatically send an e-mail when creating a new contact record.
Most often, and especially when required by regulation (i.e. EU GDPR), an appropriate consent will be requested.
Eralys will also ask you periodically or occasionally to check your data and ask you for update and renew your consent. For example, some time before a deadline or after a period of total inactivity.
Default common option is done by the link (or sending an e-mail) to firstname.lastname@example.org with Subject = Personal Data Request
As a customer, supplier, partner, project member you or some of your employees, maintain regular exchanges with Eralys. You then become a personal login Id for direct and permanent online access to your personal data and, case by case based, other information through our Customer Service Portal. There you have the direct view on your data and more stored in I.M.S. Also you can submit your requests and communicate online directly in a private, secured way with Eralys, inside I.M.S.
On a case-by-case basis, at Eralys' sole discretion, upon request, you can obtain this access.
In case of a close relationship and if it brings added value, efficiency, at Eralys' sole discretion, you and some of your employees can have an I.M.S. User access.
Depending on what is concerned, and the access rights available to the natural person, it may either submit a request for modification, express restrictions, or itself directly made certain changes.
Erasure (right to be forget) can be requested at any time. Perfectly legitimate and without having to provide reasons or justification, this request is however the subject of a specific procedure with manual processing because certain information are essential to the provision of services that the natural person wants to continue to benefit and some informations must be retained by Eralys to fulfill its own legal obligations.
To avoid fake requests you will have to confirm your request and to pass a particular identification process. Eralys also may ask you to provide some informations and/or documents.
The full process will be tracked and exchanges recorded. You will become event/action drived automatic notification as follow-up until the final confirmation of the erasure.
When erasure is allowed also in relation to legal obligations for Eralys, ALL the data and informations concerned are deleted.
In accordance with the applicable regulations, Eralys will accede to any request for transfer that will be submitted to it within the means available: either at the level of the Customer Services Portal or the I.M.S. User access, otherwise by the link (or sending an e-mail) to email@example.com with Subject = Personal Data Transfer Request
Eralys provides data to be transfered in a portable format: text (.csv or .txt), MS Excel (.xls or xlsx), opendoc xml (.odt - .ods).
Case of volumes or on particular request, transfer might be done using or S.H.C. platform and other particular data format can be done (subject to conditions and special quotation).
In case of detection of a data breach, or serious potential data breach suspicion, Eralys undertakes to communicate as soon as possible and within 72 hours following the confirmation by an analysis of the facts (EU GDPR rule)