XCOM personal data charters
XCOM is a BTB event organiser specialising in IT, based in France and Morocco. As such, it collects and processes a large amount of personal data on behalf of itself, its customers and business partners.
XCOM is committed to ensuring that its systems and practices comply with the provisions of the European Data Protection Regulation.
The purpose of this personal data charter is to describe the principles implemented by XCOM in order to comply with the regulation and to protect the privacy of individuals whose data is processed.
It also sets out the general framework for the processing of personal data within XCOM and, in this respect, aims to provide data subjects with the information they need to comply fully with the regulations in force.
1. How is the data collected?
In the course of its activities, XCOM collects data, some of which identifies individuals or makes them identifiable.
1.1. The legal basis for data collection :
Legislation lists the legal bases for collecting personal data, in other words the legitimate justifications for collecting data. These legal bases are explained and/or referred to in the context of the data collection carried out by XCOM.
In this respect, XCOM may collect personal data on the basis of :
♦ the consent of the person concerned ;
N.B.: in France, the CNIL recognises two exceptions to prior consent for electronic prospecting detailed in a fact sheet on electronic prospecting dating from October 2016:
- in relations between professionals, the prior consent of the person concerned is not required for commercial solicitations sent to a professional e-mail address if these solicitations relate to the profession of the person in question. This tolerance is known as the "BtoB exception". As XCOM's activities are mainly carried out between professionals, collections are often made following prior information.
- prior consent is also not required for any solicitation sent to a data subject for services/products similar to those that the data subject has already acquired from the same organisation.
♦ performance of obligations under a contract ;
N.B.: The collection of personal data from our customers and users is necessary in order to fulfil the terms of the contract (e.g. subscription, subscription to an online service - free or paying,....) and to ensure the supply of the service subscribed to or the product acquired by the individual concerned. Thus, in this context, the consent of the individual is not required since the processing carried out is linked to the performance of the contract.
♦ the legitimate interest¹ of the controller ;
N.B.: In certain circumstances, the very nature of the service provided by XCOM involves the collection of personal data from its customers and users and the transmission of this information to designated third parties (e.g. matchmaking services). This processing, which is linked to the legitimate interest of the data controller in this case, is considered to be a reasonable expectation on the part of the data subject with regard to the description of the service provided. Of course, XCOM constantly assesses whether its legitimate interest is not outweighed by the interest of the data subject or by respect for his or her fundamental rights and freedoms.
♦ a legal obligation making processing compulsory.
N.B.: The regulatory context of an activity may make certain data processing and transfer operations compulsory: e.g. for invoicing products or services, training activities (attendance sheets), etc.
1.2. Collection methods :
1.2.1. data collection via forms
Accessing, using, downloading, purchasing or subscribing to certain services or products involves the collection of personal data concerning the prospective customer or user. In these cases, when filling in paper or electronic forms, people transmit information about themselves. These forms systematically specify :
- the name of the data controller,
- the purposes associated with the data collected,
- if the collection is made necessary by the subscription to the service concerned or by the purchase of the product envisaged,
- any other uses envisaged and the legal basis for the data collected;
- a reference to the relevant pages of this charter on how individuals can exercise their rights, contact details for the Data Protection Officer, rules on how long data is kept, how to lodge a complaint with the supervisory authority, etc.
1.2.2. collection via cookies
The term "cookies" is to be understood in the broadest sense: all traces deposited and/or read, for example, when consulting a website, reading an e-mail, installing or using software or a mobile application.
Cookies are based on a file that can be stored on the user's computer during browsing. Their main purpose is to simplify browsing on the sites (automatic authentication, personalisation of certain information, etc.) or to personalise the advertising that appears during user browsing.
Certain cookies are deposited by XCOM directly when browsing one of its sites. Users of the site may at any time oppose the use of these cookies by adjusting their browser settings, it being specified that such adjustments are likely to modify the conditions of access to products, content and services requiring the use of cookies.
Instructions on how to configure your browser are given in Appendix 2 of this charter.
In addition, other cookies are placed by companies outside XCOM in order to collect users' browsing data when they visit different sites. XCOM works with some of these companies.
To help users detect the cookies that may be installed on their computers, some sites, such as YourOnlineChoices, offer tools for listing and configuring your cookies.
XCOM sites mainly use the following cookies:
Audience measurement cookies :
- Google Analytics
Social network cookies :
- For Linkedin
In accordance with the legal provisions in force, before placing or reading a cookie on a user's computer, XCOM :
- informs Internet users of the purpose of cookies
- obtains their consent when required;
- tells users how to refuse them.
Cookies and tracers that are strictly necessary for the provision of a service expressly requested by the user do not require the user's prior consent. For example, the following trackers do not require users' consent:
- shopping basket" cookies for a merchant site;
- session ID" cookies, for the duration of a session, or persistent cookies limited to a few hours in certain cases;
- authentication cookies ;
- session cookies created by a multimedia player ;
- load balancing session cookies;
- certain audience measurement analysis solutions (analytics);
- persistent cookies used to personalise the user interface (choice of language or presentation).
All other cookies require prior information and a request for consent, for example :
- cookies linked to advertising operations;
- social network cookies generated by social network sharing buttons when they collect personal data without the consent of the individuals concerned;
- certain audience measurement cookies.
In accordance with CNIL recommendations, consent is obtained by means of a visible banner on the website, which must contain the following information:
- the precise purposes of the cookies used;
- the possibility of objecting to these cookies and changing the settings by clicking on the link "Find out more and configure cookies" in the banner (with a reference to this paragraph and to appendix 1 below);
- that by continuing to browse the site you agree to cookies being stored on your terminal.
In general, if users share their computer with other people, they must ensure that they delete the cookies installed on their computer by setting their browser parameters.
1.2.3. collection by telephone
XCOM provides certain services by telephone and may collect personal data in the process. Where possible, telephone contact is confirmed by sending an e-mail, enabling the person concerned to keep a written record of the conversation and to exercise their rights at any time.
1.2.4. Indirect collection
XCOM may obtain personal data from third parties (see Chapter 5). In such a case, XCOM:
- draws up a contract with this third party in accordance with the provisions of the Regulation ;
- notifies individuals of the transfer of their data to XCOM under the conditions defined by the Regulation;
- indicates the source of the data in its files to ensure traceability;
- informs data subjects of the procedures for exercising their rights.
2. What type of information is collected?
Some of the information collected constitutes "Personal Data", i.e. data concerning individuals that can be used to identify them.
In accordance with the legislation in force, XCOM has adopted the principle of minimisation in the collection of data and only collects data that is strictly necessary for the purpose for which it was collected and explained to the individuals concerned, leaving them free to exercise their rights.
The personal data that may be requested, depending on the nature of the services or products provided, are as follows:
Mainly :
- Your name and contact details, including e-mail and postal addresses,
- your function,
- your telephone and fax numbers,
where applicable for certain products and services :
- computer equipment used during navigation,
- information relating to your professional career (CV, professional training, awards, etc.), your location data,
- your connection and browsing data (IP addresses, logs) etc....
3. What is the purpose of the data collected?
3.1. Use of the data collected
XCOM may use the personal data in its possession in order to :
- to send commercial information relating to its products, promotions and offers, as well as other information relating to its products or services adapted to the centres of interest of the data subjects;
- to transmit information on products and offers from third parties - customers or commercial partners of XCOM - in relation to the function and/or with regard to an interest identified in relation to the activity of the data subject or that of the organisation to which he or she belongs;
- publish paid directories of professionals and decision-makers in order to offer them products and offers related to their functions and/or with regard to an interest identified in relation to the activity of the person concerned or that of the organisation to which they belong.
This personal data will be used by XCOM in the context of its activities relating to the promotion of its own products and services as well as canvassing on behalf of third parties. It will only be used within the strict limits defined by current legislation.
3.2 Sending information
Depending on the details collected, XCOM and its partners may transmit information by the following means:
- Text message sent to a person (SMS or MMS, notification, e-mail, and/or any other form of electronic message);
- Message via social networks;
- Telephone ;
- Postal mail ;
- Web banner ;
- Internet search engine.
3.3 Collection objectives
The purpose of the data collection is systematically indicated when it is carried out directly by XCOM and indicated when the data is transferred when it is collected by a third party.
XCOM may use a person's personal data for the following purposes in particular:
- In order to register it on its websites and/or information systems and to manage the delivery and invoicing of services/products provided by XCOM (including the processing of any searches or requests for information concerning us or our products or services).
e.g. processing orders or registrations
- In order to be able to fulfil its obligations under the terms of any contract binding it to the data subject and as part of the management of this type of contract:
E.g.: management of user access identifiers for a software application, access badges for a trade show, forum, etc.
- In order to comply with its legal obligations;
E.g.: managing attendance at a training session: keeping an attendance sheet
- For the purposes of monitoring, critically examining and improving its product and service offering;
- For the purposes of analysing connection and browsing data in order to deduce browsing behaviour and/or adapt the content offered according to affinities observed;
- To keep files for internal administrative use (customer complaints, customer loyalty, etc.);
- For commercial prospecting purposes on its behalf or on behalf of its commercial partners and advertisers, under the conditions defined below in the section entitled "Use of data collected";
- For the purposes of entering competitions, lotteries or promotions.
4. How and for how long is the data stored?
The data in XCOM's databases is processed in accordance with strict control rules that comply with the state of the art in technology and the recommendations of the competent supervisory authority.
4.1. Storage of personal data
XCOM takes all necessary precautions to preserve the security and confidentiality of Personal Data and in particular to prevent it from being distorted, damaged or accessed by unauthorised third parties.
The recommendations of the French Data Protection Authority (Commission Nationale Informatique et Liberté) are taken into account in security management throughout the Group.
4.2. data retention and archiving
The retention period depends on the activity concerned, the nature of the contact (customer or prospect) and industry practice.
♦ XCOM keeps certain mandatory documents (invoices etc...) for the legal retention period.
♦ The retention period for personal data is set by default for XCOM for a period of 5 years.
♦ Some data are kept for a shorter retention period:
- Cookies expire thirteen months after their last update.
- Prospective customers' data is deleted after a period of 3 years without any response to a solicitation.
- Candidates' CVs are kept for a period of 2 years.
♦ The duration is sometimes linked to the relevance or necessity of its processing: customer data is kept for the duration of the commercial relationship or data present in directories is kept for the duration of the mandates of the persons concerned.
5. Who are the third parties with access to the personal data collected?
5.1. Within XCOM
XCOM is made up of a number of companies located in and outside the European Union which may receive personal data from another subsidiary of the group, as part of its functional organisation².
By way of example, certain processing operations are carried out by one of the members of staff of another Group subsidiary in order to provide commercial assistance, market research or customer services, as well as for account management, the supply of products or services provided now or in the future, or participation in competitions, lotteries or promotions.
The marketing and production of certain XCOM products and services are in some cases carried out across several Group entities, and the sharing of resources may involve the use of files between several entities in a subcontracting or joint-responsibility processing relationship. All intra-group transfers outside the European Union are governed by a contract containing standard contractual clauses (see chapter 7 below).
5.2. Outside XCOM
XCOM may transfer the personal data it collects to various third parties, such as :
- customers/partners who have subscribed to a service that may involve the collection of users' personal data, in particular as part of a request to be put in touch or as part of the creation of a prospecting file;
- service providers, subcontractors and suppliers to carry out services on its behalf (for example: technical services, payment services, identity verification, suppliers of analytical solutions, chat, services, etc.);
- other companies, financial organisations or law enforcement agencies/departments for the purposes of fraud prevention or detection, where such disclosure is necessary to protect XCOM's rights;
- where provided for by law or at the formal request of an authority (in particular in the context of legal proceedings), public, semi-public or private bodies carrying out a public service mission;
- in the event of a merger, acquisition, dissolution or sale of all or part of its assets. Data subjects will be informed by email and/or a prominent message on the XCOM website(s) of any changes in ownership or uses of personal data and of the choices available to them.
5.3. working arrangements with third parties
In the event that personal data is transferred to a third party for any reason (for example: a subcontracting service, services carried out for a client), XCOM applies the conditions defined by the legislation in force, in particular informing the persons concerned of this transfer.
XCOM ensures that appropriate contractual stipulations between XCOM and the third party concerned guarantee that the latter :
- Will only use personal data for the purpose specified by it and in accordance with the objectives defined in this charter,
- And will have taken appropriate security measures to prevent unauthorised or unlawful processing of personal data, accidental loss or destruction of, or damage to, personal data.
6. Who should I contact for information?
XCOM has adapted its organisation to meet the requirements of the European Data Protection Regulation and to provide all individuals with full information on the personal data collected about them and the processing carried out on this data.
6.1 exercising rights of access, opposition, rectification and deletion
Any request relating to the exercise of your rights should be sent to info@xcom.fr. This request must include as much information as possible so that it can be processed on receipt within a maximum period of two months: for example, people must specify the e-mail address requested and for which they are sending the request in order to facilitate searches.
6.2 exercising the right to be forgotten
Any request concerning personal data appearing in an article published by XCOM must be sent to the following address: info@xcom.fr. This request must indicate the reasons for the request. Once the deletion of data has been processed, any request for an article to be dereferenced in a search engine must be sent directly to the said search engine by the person concerned.
6.3 data portability
Any request relating to the portability of data should be sent to info@xcom.fr, who will reply to you on the feasibility of such a request.
6.4 Appointment of a Data Protection Officer (DPO) and recourse to the supervisory authority
To complete this system, XCOM has appointed a Data Protection Officer who can be contacted at info@xcom.fr for any questions or difficulties relating to the processing of personal data.
Anyone can contact the Commission Nationale Informatique et Liberté (CNIL) directly.
7. Is data transferred outside the EU?
If XCOM communicates Personal Data to one of its subsidiaries or to a third party located outside the European Union, measures are taken to ensure that said data will benefit from the same level of protection as that imposed by the European Union in terms of data protection.
In this respect, XCOM will ensure that the processing is carried out in accordance with this charter and that it is governed by the European Commission's standard contractual clauses, which make it possible to guarantee an adequate level of protection for the privacy and fundamental rights of individuals.
8. Are there any specific treatment methods?
XCOM may combine information about companies with information provided by individuals under the conditions and for the purposes defined in this charter.
The profiling methods used within XCOM consist of manual or automated cross-referencing between company files and our XCOM contact databases (surname, first name, job title, e-mail address, etc.), based on objective criteria (size, sector, IT equipment, etc.).
9. Recruitment
As part of its recruitment policy, XCOM collects and stores personal data relating to potential candidates.
XCOM gathers the information necessary to find the most suitable profiles for the positions to be filled, in compliance with the law and with the rights and freedoms of individuals. XCOM will not pass on a person's CV and contact details to a third party without their consent.
Candidates who wish to modify or delete their personal data from our databases may send an e-mail to info@xcom.fr at any time, indicating "personal data" in the subject line.
The applicant must ensure that the referees agree to be contacted by XCOM.
10. How will you be informed of updates to this charter?
XCOM may modify or update this Privacy Policy from time to time. Any updates will be posted in the appropriate places, so that any user will be informed of the date of the last update.
The most important updates may be the subject of a notice on XCOM's corporate website www.xcom.fr at the latest when the said modifications come into force.
APPENDIX 1: XCOM Group companies
XCOM - 9 rue du Petit Rhône
13470 Carnoux en Provence, France
Tel : +33 4 42 70 00 66
XCOM EVENTS - Casanearshore Shore 1
20 000 Casablanca, Morocco
APPENDIX 2: Browser settings
Setting these parameters may alter your conditions of access to content and services requiring the use of cookies.
If the browser is configured to refuse all cookies, access to all or part of the site may be blocked.
In order to manage cookies as closely as possible to users' expectations, the browser must be configured to take account of the purpose of the cookies.
- Microsoft Internet Explorer
- Microsoft Edge
- Apple Safari
- Google Chrome
- Mozilla Firefox
- Opera
1.1 Recital (47) of Regulation 2016/679: The legitimate interests of a controller (...) may constitute a legal basis for processing, unless the interests or fundamental rights and freedoms of the data subject prevail, having regard to the reasonable expectations of data subjects based on their relationship with the controller. Such a legitimate interest could, for example, exist where there is a relevant and appropriate relationship between the data subject and the controller (...). (...) The processing of personal data for canvassing purposes may be considered to be carried out in order to meet a legitimate interest.
2.2 Recital (48) of Regulation 2016/679: Controllers who are part of a group of undertakings or establishments affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of personal data relating to customers or employees.
EN 
FR