Personal data protection policy

Last updated: 2024, january 8

The ORSYS Group (ORSYS Formation, ORSYS Institut, ORSYS Belgium, ORSYS Luxembourg, ORSYS Switzerland, ORSYS Spain, ITTCert) is concerned about the protection of its customers' personal data. It undertakes to ensure the best level of protection in compliance with European regulations applicable to the protection of personal data.

For all information on the protection of personal data, you can also consult, depending on your situation :

the Commission Informatique et Liberté website www.cnil.fr in France
the Data Protection Authority website www.autoriteprotectiondonnees.be in Belgium
the National Data Protection Commission website www.cnpd.lu in Luxembourg
the website of the Federal Data Protection and Information Commissioner www.leprepose.ch in Switzerland

What are our principles for processing personal data?

In accordance with current regulations, the processing of your personal data carried out by ORSYS Group is based on the following principles:

The data collected is proportional to the purposes of the processing.
The purposes of each processing are determined, explicit, and legitimate.
The processing is lawful, fair, and transparent.
The collected data are subject to security measures, both organizational and technical.

Who is responsible for processing my personal data?

The data controller is the company that determines how and for what purpose your personal data are used.

For personal data collected on our websites and mobile applications, or during your contacts with our sales teams (needs analysis, orders, follow-up of files, etc.), the data controller is :

ORSYS GROUP

1 Parvis de la Défense,

La Grande Arche Paroi Nord

92044 PARIS LA DÉFENSE CEDEX

RC Nanterre: 482 761 160

Why does the ORSYS group collect my personal data ?

The ORSYS group mainly uses your personal data mainly for the following purposes:

Management of training orders and customer relations, ensuring that training courses are actually delivered
The vast majority of our customers are private companies and public bodies, and some are private individuals. We need information about you in order to manage professional training orders placed by your employer or yourself, and to follow up on these orders.
For example: registering for an inter- or intra-company training session or an e-learning session; sending your invitations or your login details for our LMS (Learning Management System) platform; welcoming you to our centres and training rooms; carrying out the training service and monitoring the training periods completed; assessing your knowledge; monitoring customer relations, such as carrying out satisfaction surveys; managing complaints and after-sales service.

Personalisation of our services and the messages we send you
We use your data to improve the services we offer you and the communications we send you. For example, we can send you personalised emails or recommend training courses that correspond to your professional needs.

Customer knowledge, statistics, and performance of our site
We may use anonymous data to analyse activity on our site and improve the services we offer. For example, we measure the number of pages viewed, the number of visits to the site, visitor activity and the frequency with which visitors return.
We may use the data concerning you to establish internal statistics linked to your commercial relationship with the ORSYS group.

What personal data is collected about me?

What data?

Customers and training providers (contacts in the training department, human resources department, buyers, operational directors and managers, etc.)

The personal data collected and processed are mainly surnames, first names and professional details (company, job title, postal address, e-mail address, telephone number), some connection data, order history and any other information provided voluntarily if its content is relevant and proportional to the purpose of the processing.

Participants in ORSYS Group training courses

Personal data is collected either from the employer or from the participant themselves at the time of registration. It mainly consists of the surname, first name, professional details (employer's name, profession, postal address, e-mail address, telephone number), some connection data, evaluations of training courses attended, self-assessments on knowledge acquisition, and any other information provided spontaneously if its content is relevant and proportional to the purpose of the processing.

The collection of the participant's data from the employer meets the legal training obligation of employers towards their employees.

The collection of data from the participant him/herself fulfils the legal obligation referred to in the previous paragraph or the performance of a vocational training action as provided for in article L 6313-1 of the French Labour Code. The data collected is then necessary to carry out the action.

Where applicable, in application of article D 5211-3 of the French Labour Code, the ORSYS Group may collect information on any disability in order to provide the necessary adaptations to the course. This information is only kept until the end of the training course. It is then removed from our systems and we keep no trace of it.

When?

For the training providers (contacts in the training department, human resources department, buyers, operational directors and managers, etc.), we collect the information provided when :

You request the creation of an account in our customer area.
You place an order on one of our websites or with our sales teams (email or web forms).

For people taking ORSYS Group training courses, we collect the information provided when :

You are using an accountMyOrsys to access the educational resources of a training course you have attended.
You evaluate a training course you have attended.
You browse our websites and consult our training products.
You contact our Customer Service.

For all, we collect the information provided when :

You submit an information request.
You send us a registration request for one of our free events. During online collection, the mandatory or optional nature of the data is indicated to you by an asterisk.

When data is collected online, the compulsory or optional nature of the data is indicated by an asterisk.

The ORSYS group may also collect data from prospective customers in the context of :

Purchase of data via external partner databases, in compliance with the GRPD.
Professional events (trade fairs and webinars): the data collected includes surnames, first names and professional contact details (company, job title, postal address, e-mail address, telephone number).
In both cases, an acknowledgement of receipt is sent to the e-mail address collected to inform you of our approach and give you an immediate opportunity to object.

Subscription to our ‘blog’ content: our prospective customers can ask to receive our commercial e-mails, based on the training topics that interest them. They are then invited to enter their professional e-mail address and simply select the content categories to which they wish to subscribe.

What communications am I likely to receive?

Service emails

Following an order or as part of contract management, you will receive emails to allow you to track your order or the execution of your contract (order confirmations, organisation of training sessions, retrieval of administrative documents, etc.). These service messages are necessary for the proper execution of the orders and services you have requested. Receiving this information is not linked to the choices you will have expressed for receiving communications for commercial purposes.

Commercial e-mails and newsletters

As a customer, if you have not objected, or as a prospect (trade show, webinar, blog, etc.), you may receive information and offers from ORSYS by email. These messages keep you informed about ORSYS's news, the evolution of its training offer, session availability, and events (presence at trade shows, conferences, or webinars). We systematically measure the open rate and click-through rate of these emails to adapt them as closely as possible to your needs.

Postal mailings

If you have not objected, you may receive offers and information by post.

On what legal basis and for what durations are my personal data processed?

The processing of your personal data is justified by various legal bases depending on the use we make of the personal data. Below you will find the legal bases and retention periods that we apply to our main processing activities.

Legal bases of the processing Among the applicable legal bases:

Contract: the processing of personal data is necessary for the performance of the contract to which you have consented.
Consent: you agree to the processing of your personal data through express consent (checkbox, email contact, or telephone contact with your ORSYS sales representative). You can withdraw this consent at any time.
Legitimate interest: ORSYS has a commercial interest in processing your data that is justified, balanced, and does not infringe on your privacy. Except in exceptional cases, you can oppose a processing based on legitimate interest at any time by notifying ORSYS.
Legal obligation: the processing of your personal data is mandatory by law.

Retention periods

Most data (information from your customer account, order history, etc.) are retained as long as you are an "active" customer and for a period of 5 years from your last activity. Your data is then archived with restricted access for an additional period for limited and legally authorized reasons (payment, requests for old documents such as a training certificate or diploma, etc.). After this period, they are deleted.

What measures are taken to secure my data?

The ORSYS Group takes technical and organisational measures to prevent unauthorised access or disclosure of data:

Access to our premises and IT environments is secure.
Access, sharing and transfer of data are secure.
Our employees who have access to personal data are trained in confidentiality requirements.

Who are the recipients of my data?

Transmission of data to subcontractors

The data we collect may be transmitted to subcontractors ORSYS uses for the realization of its training courses for the purposes mentioned above, mainly in the context of the effective implementation of face-to-face or distance learning courses.

Sharing of data within the ORSYS group

Data concerning you may also be transmitted to other subsidiary companies of the ORSYS group for study and customer knowledge purposes. To know the up-to-date list of group entities likely to receive your data, you can make the request.

Sharing of data with third parties

The ORSYS Group only shares your data with providers necessary for the realization of its training courses.

How can I express my choices regarding the use of my data?

You can at any time withdraw your consent or object to the use of your data:

By email à rgpd@orsys.com
By mail to the address: ORSYS, Traitement des données personnelles, 1 parvis de la Défense, La Grande Arche, Paroi Nord, 92044 Paris La Défense.
If you have an account, online in your Espace Pro (for training prescribers) or in your MyOrsys (for participants in our courses).

All our advertising emails contain an unsubscribe link, allowing you to express your opposition to the use of your email address at any time.

What are my rights regarding the use of personal data?

According to the regulations on the protection of personal data, you can exercise your rights (access, rectification, deletion, opposition, limitation, and portability where applicable) by writing to rgpd@orsys.com or by post to ORSYS, Personal Data Processing, 1 Parvis de la Défense, La Grande Arche, Paroi Nord, 92044 Paris La Défense.

To enable us to respond promptly, please provide your name(s)/surname(s), company, professional email address used in your relationship with ORSYS, and the desired modification. Some requests to exercise your rights (right of access) must be accompanied by a photocopy of an identity document bearing your signature to verify your identity and specify the address to which the response should be sent. A response will be addressed to you within one month following the receipt of the request.

You also have the right to lodge a complaint with the Commission responsible for the protection of personal data in your country.

The ORSYS group has a Data Protection Officer (DPO) responsible for ensuring the protection of personal data. You can contact ORSYS's DPO at the address dpo@orsys.com (excluding the exercise of your rights, which is primarily carried out at rgpd@orsys.com).

Are my data transferred outside the European Union?

Your data collected in the context of your business relationship with the ORSYS Group are not transferred outside the European Union.

What about the personal data of minors?

The ORSYS Group services are not intended for minors; consequently, the ORSYS Group does not process data specifically concerning minors..

What types of cookies are used?

ORSYS Group websites use cookies or similar technologies to improve your browsing experience or to offer you personalised advertising content.

We rely on a trusted third party, Axeptio, which manages the collection and storage of your consent.

Our customers and prospective customers manage their consent autonomously, via a window accessible at the bottom of each page of our websites. They can, as they wish and at any time, accept or refuse each of the types of cookies below:

Cookies for accessing statistics or behavioural data relating to visits to our websites (Google Analytics, Hotjar, etc.)
Cookies to measure the effectiveness of sponsored campaigns (Google Ads, Bing, Facebook, Twitter, Instagram, etc.)
Cookies to identify visitors to our advertising emails (Dialog Insight).