Charter on the protection of our existing and potential customers’ personal data
Version of 30 06 2021
From: HARVEST, SAS (simplified joint stock company under French law) with a share capital of €1,419,144, registered with the PARIS Trade and Companies Register under number 352 042 345 and having its head office at 5 rue de la BAUME 75008 PARIS.
For the attention of HARVEST candidates, existing and potential customers
Harvest is strongly committed to maintaining your privacy and protecting your Personal data, two principles protected by the Charter of Fundamental Rights of the European Union.
The processing of Personal data is governed in particular by the provisions of European Regulation 2016/679 of 27 April 2016, those of amended Law 78-17 of 6 January 1978 and the texts allowing for their implementation.
Harvest is a software publisher that provides a broad range of solutions in the financial and asset management consulting business, working with all players in the field. A comprehensive range of expert solutions is available: multichannel digital offers, sales aids, pricing solutions, simulators (savings, retirement, provident, life insurance, tax, property, etc.). Harvest also assists its clients with their projects, through all phases, from the design to the deployment of its solutions, taking into account the digital strategies of its customers.
Harvest is committed to providing highly secure solutions and adopting best market practice to ensure, among other things, the confidentiality and integrity of the data processed.
In the course of conducting business and as data controller, Harvest may collect and process your Personal data in relation to the use of our products and services. Out of concern for your privacy, Harvest has developed this Personal data protection Charter (hereinafter the “Charter”) to provide you with transparent information on:
- The Processing operations carried out on your Personal data;
- The categories of Personal data collected and processed;
- The recipients of your Personal data;
- The retention periods of your Personal data;
- Our commitments to protecting your Personal data;
- Your rights and freedoms in regard to the Processing of your Personal data.
This Charter, which is accessible online, is subject to change at any time. We invite you to check the online version regularly and before interacting with our services, for a thorough understanding of how we use your Personal data.
What is Personal data?
“Personal data” refers to any information relating to an identified or identifiable natural person, directly or indirectly:
- By reference to an identifier, such as a name, identification number (e.g.: customer code, social security number), online identifier (e.g.: email, web cookie, login), telephone number, date of birth, etc.
- By reference to one or more factors specific to their physical identity (e.g.: biometric photograph, fingerprint, handwriting).
- By cross-checking information such as date of birth, postal address, biometric data, etc.
What is Personal data Processing?
“Processing” refers to any operation, or set of operations, performed upon Personal data or sets of Personal data, whether or not by automatic means, regardless of the process used: collection, recording, organisation, storage, adaptation, modification,
What is a Data Controller?
The “Data Controller” is the person who determines the Processing purposes and means. They implement appropriate technical and organisational measures to guarantee Data protection and demonstrate that Processing operations are performed in accordance with applicable regulations.
The Data Controller in charge of your Personal data may in some cases be Harvest, an SAS (simplified joint stock company under French law) with a share capital of €1,419,144, having its head office at 5 rue de la Baume, 75008 Paris, registered with the Paris Trade and Companies Register under no. 352 042 345 (hereinafter “Harvest”, “We”, “Our”).
Harvest has a Data Protection Officer (“DPO”) whose contact details are as follows:
Processing of personal data
5 rue de la Baume
What is a Processor within the meaning of the Personal data protection regulation?
A “Processor” is a natural or legal person, public authority, department or other body that processes Personal data on behalf of, on instructions from and under the authority of the Data Controller.
What are the processing operations for which Harvest is a Data Controller?
By default, Harvest acts as Processor in accordance with the provisions drafted in the agreements with its customers. Said customers are responsible for defining all the purposes and means to be implemented in order to ensure an adequate level of protection and security, for the data of their own customers. Harvest processes Personal data only on behalf of its customers and does not reuse it on its own behalf.
Harvest’s services and products
However, Harvest is a Data Controller, within the meaning of the GDPR, when it provides the following services:
- Harvest.fr, Harvest.eu or any other website published by HARVEST: websites providing information on our services.
- ClickImpôts Particulier: solution for calculating your taxes, preparing your returns and completing your income declaration online. Harvest is the data controller when the customer is strictly an individual. In other cases, if the professional customer has subscribed to ClickImpôts, Harvest is then Personal data Processor.
- online purchase of training services;
- subscription to ClickImpôts services (for individuals, but also for professionals).
Harvest processes the Personal data of candidates in the context of recruitment, in order to make a decision on their suitability for the position by taking into account the candidate’s skills, knowledge acquired and personality.
The data processed includes CVs, cover letter, any letters of recommendation, the various tests conducted (technical, psycho-technical, etc.) and interview reports.
This information refers to identification data, data on professional life (qualifications, training, experience, etc.), personal data (marital status, etc.), economic and financial data (e.g.: salary expectations, etc.) and login data.
Harvest processes this data on the basis of its legitimate interest. Harvest retains this data for the entire duration of the recruitment. With the consent of the candidate, unsuccessful applications of interest for future recruitment may be retained in a candidate pool or a CV library for a maximum period of 2 years.
This data is collected directly from the candidate or from a recruitment firm or a specialised platform. It can be supplemented with public information, collected on professional social media (e.g.: LinkedIn)
Harvest processes this information on a confidential basis. It is intended solely for recruiting and HR employees.
By default, Harvest does not transfer candidate data outside the European Economic Area. If transfers are made, they are protected by mechanisms that ensure an adequate level of protection under European regulations.
Which data is processed by Harvest in its capacity as Data controller?
Harvest only processes Personal data strictly necessary for the purposes for which it is collected. The processing of Personal data performed by Harvest is essential for the provision of the Services.
When using our Services, we collect the following Personal data:
- Identification data: such as unique identification number, customer reference, identity, postal address, email address, telephone number
- Login data: such as customer code and password
- Location data: such as IP address
- Professional and public activities: such as current job, company identification, professional contact data (including professional email address).
Additional data may be collected in connection with the use of the “ClickImpôts Particulier” Service. To find out more about the collection of your personal data in connection with the use of ClickImpôts, please refer to the product data protection policy, available on the ClickImpôts Particulier item sheet (click on “GDPR and security customer documentation”) or directly via this link: https://formations.harvest.fr/files/documentation-ci-client-rgpd-part-v2.pdf
In addition, as part of the business relationship and with a view to improving the quality of its services, Harvest keeps a record of all exchanges made through websites, communications by email, telephone, or any other means of communication.
Why do we collect your Personal data?
Harvest collects and processes your Personal data in particular in the course of conducting its business, such as commercial solicitation, designing new services, or monitoring and improving service quality and securing IT environments.
Harvest undertakes to collect only Personal data that is adequate, relevant and limited to what is necessary for the purposes for which it is processed.
More specifically, Harvest shall use your Personal data in the following manners:
- Manage our relationship with you and manage your agreement;
- Fulfil our commitments regarding the provision of services as defined in the agreement;
- Manage our databases of existing and potential customers;
- Facilitate payment transactions;
- Provide you with services that closely match your needs;
- Send you commercial and advertising information based on your preferences;
- Develop high-performance, innovative products;
- Carry out analyses and statistics with a view to adapting our business operations;
- Organise trade fairs or events for existing and/or potential customers
- Facilitate the processing of your requests;
- Comply with our legal obligations;
- Manage a possible dispute with you;
- Fulfil our commitments in a secure environment.
For ClickImpôts Particulier, additional processing operations may be carried out. To find out more about the processing of your personal data in connection with the use of ClickImpôts, please refer to the product data protection policy, available on the ClickImpôts Particulier item sheet (click on “GDPR and security customer documentation”) or directly via this link: https://formations.harvest.fr/files/documentation-ci-client-rgpd-part-v2.pdf
On which legal basis do we process your data?
Harvest processes data on the basis of:
- The performance of the agreement: The collection and processing of your Personal data is necessary for the performance of pre-contractual measures and for the performance of the service agreement between you and Harvest (the “Agreement”). Pre-contractual measures are defined as any action taken by Harvest at the stage of the presentation of our ranges of services and products to be in a position to meet the Customer’s expectations;
- Consent: Harvest processes Personal data by seeking free, specific, informed and unequivocal consent. This consent is expressed in the form of a declaration or positive action on your part, for example when you tick a box in a form (e.g.: subscription to a newsletter, acceptance of cookies, etc.);
- Compliance with legal obligations: the Personal data processed is necessary in order to comply with our legal and regulatory obligations (e.g.: retention of invoices);
- Harvest’s legitimate interest: Harvest processes Personal data to conduct commercial solicitation operations for business customers, to ensure network and information security or to prevent fraud.
The processing of such Personal data is necessary to carry out the aforementioned activities. In the absence of such communication, Harvest would be unable to respond favourably to requests or to provide the requested products and services.
When do we collect Personal data?
Harvest collects your Personal data directly or indirectly, and we always make sure that you are aware of Harvest’s commitments as well as your rights.
Indirect collection may be carried out by third parties or by Group companies (for example: Fidroit – sister company). In this case, we make sure that you are informed within one month of the date it was obtained via said third parties.
Your personal information may be collected on the occasion of:
- A solicitation;
- Your participation in or registration for an exhibition or event;
- Your visit to our websites, in particular when creating or managing your customer area;
- The management of your orders;
- Our exchanges, in particular with customer service or support;
- The monitoring of the quality of service, particularly when recording our telephone conversations;
- The review of our commercial or promotional information;
- Your participation in surveys;
- The acquisition of potential professional customer databases from specialised companies.
In the event of pre-contractual measures, we may collect your data on the occasion of:
- The visit to one of our websites;
- The completion of a contact form;
- A telephone conversation with the Customer Service department;
- A click on one of our promotional messages;
- The visit to a partner website (e.g.: Fidroit).
Who are the recipients of your personal data?
Harvest limits transfers of information to third parties and uses, whenever possible, anonymised or pseudonymised data (in which case only Harvest can identify the data subject).
Your Personal data may be disclosed to the following recipients where such disclosure is necessary:
- Harvest’s internal recipients: our customer service, support and development departments, our financial, legal and marketing divisions, the sales division and the legal and internal control functions of our company.
- External recipients:
- Event, communication, advertising and marketing agencies;
- Printing, document management companies, paper or online archiving companies;
- Statistical study or analysis companies;
- Software data transmission and hosting service providers;
- Institutional partners, to enable the online DGFIP declaration;
- The entities of the group to which Harvest belongs;
- Technical experts who process data in accordance with the regulations;
- In case of litigation: legal advisers, collecting agencies, court bailiffs, lawyers, notaries and parties to the dispute.
Harvest ensures that its subcontractors process your data in a manner that guarantees its integrity, confidentiality and security.
How is your data secure?
Harvest attaches particular importance to the security of personal data and we take all necessary steps to protect the personal data we process. Your personal data will be processed electronically, automatically and/or manually and, in any event, in such a way as to ensure its security, protection and confidentiality with regard to its level of sensitivity, through administrative, technical and physical measures to prevent loss, theft, unauthorised use, disclosure or alteration.
To this end, Harvest implements measures that comply with the principle of privacy by design and protection by default of the personal data processed. As such, Harvest can use data anonymisation or encryption techniques whenever possible and/or necessary.
What is the retention period of your Personal data?
Your Personal data must be kept only as long as is necessary to achieve the purposes for which it was collected, as mentioned below. It will subsequently be deleted. However, in some cases, your Personal data may be kept longer, for example in the event of litigation, or to comply with our accounting, legal or regulatory obligations. In any event, such data shall be destroyed or anonymised once said purposes have been fulfilled.
For study and statistical purposes, we may retain anonymised data for an unlimited period of time. Anonymisation is a protection mechanism aimed at irreversibly transforming Personal data so that it can no longer be used to identify the data subject.
Is your Personal data transferred outside the European Union?
The Personal data we process is not transferred outside the European Union.
If a data transfer outside the European Union were to be considered, Harvest shall:
- Ensure that appropriate safeguards are implemented, in particular through the conclusion of binding corporate rules and/or standard contractual clauses adopted by the European Commission, to guarantee enforceable and effective rights for data subjects;
- Inform you of the terms of such transfer.
What are your rights and how can you exercise them?
You have certain rights over your data:
- the right to access your Personal data,
- the right to rectify your Personal data,
- the right to delete your Personal data, if not contrary to other regulatory or contractual requirements;
- the right to restrict the Processing of your Personal data, in order to verify its accuracy, to object to its deletion or to exercise or defend your rights before a court,
- the right to object to the processing of your Personal data where said Processing is based on your consent,
- provide us with instructions on the use of your Personal data after your death,
- the right to the portability of your Personal data.
Please note, however, that certain Personal data may be excluded from these requests, in certain circumstances, in particular if we need to continue to process your data to serve our legitimate interests or comply with a legal obligation. You can exercise these rights by contacting: “Harvest SAS – DPO – Processing of Personal data – 5 rue de la Baume 75008 PARIS” or by emailing: firstname.lastname@example.org.
Pursuant to the regulations in force, to allow us to confirm your identity in case of doubt, you may be asked to produce proof of identity. We will keep a copy of your identity document for up to one year.
You also have the right to lodge a complaint directly with CNIL (Commission Nationale d’Informatique et des Libertés or French Data Protection Authority) at the following address: 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07.