Table of contents
Last update on: 07 May 2022
This is a free translation for information purposes. Only the original version in French is binding under French law.
The “SMY” Teams Application is operated by Supermonday (hereinafter “Supermonday”), Simplified joint stock company (S.A.S) with capital of €14,280, head office registered as 15 place Royale 78000 Versailles (firstname.lastname@example.org), listed on the Versailles register of commerce and companies under the number 899 075 402.
It was drawn up in accordance with the requirements of the French law of 6 January 1978 (French Data Protection Act), the European General Data Protection Regulation (“GDPR”) of 23 May 2018 and the act of 20 June 2018 transposing the General Data Protection Requirement into French law.
Article 1 – Definitions
1.1 Technical terms concerning data privacy
In the Application, the terms below take the meaning as assigned under the GDPR: (Article 4):
Consent: “of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”;
Personal data: “means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”;
Data controller: “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”;
Processor: “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”;
Processing: “means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”;
Personal data breach: “means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”;
1.2 Other terms used in this document
“Administrator(s)” means the representative(s) of the Customer in charge of configuring the Application and assigning certain features on behalf of the Customer;
“Application”: means the “SMY” Teams Application available on the Microsoft TEAMS platform, operated by Supermonday and provided to Users;
“Customer: means any legal person acting in the course of their professional activity, having signed a commercial Contract with Supermonday to use its Services and obtain access to the Application;
“Content” means all elements representing the information provided on the Application (text, images, videos, algorithms, software, widgets, etc.) and enabling its operation, User information and presentation of the Services;
“Employee(s)” means Customer employees with access to the Application;
“Features”: refers to all features made available to Users via the Application;
“Service” means the standard application features delivered via the Application by Supermonday as well as Updates as a paid subscription;
“SMY” or “Event” means the events organised by Employees or Administrators using the Application;
“Supermonday” refers to the company Supermonday, simplified joint stock company (S.A.S) with capital of €14,280, head office registered as 15 place Royale 78000 Versailles (email@example.com), listed on the Versailles register of commerce and companies under the number 899 075 402.
“User” means any User of the Application, including Customers of Supermonday, Administrators and Employees.
Article 2 – Collection of personal data
Browsing and using the Application as well as the associated features – requires the User to provide personal data (for the purposes indicated in article 3).
Consequently, the User consents to the collection and processing of personal data they provide to Supermonday for the sole purposes detailed in article 3 of the Policy. This consent and other reasons serve as a legal basis for the processing of data collected.
The provision of User data is also the legal basis for performance of the Contract between Supermonday and the Customer. By signing the Contract, the Customer accepts the purposes of data processing as described herein.
SMY collects and processes data that are strictly necessary for the purposes for delivery of the Features. SMY shall not process any data for purposes other than those indicated above. Each time the Application processes personal data, SMY takes all reasonable measures to ensure the exactness and relevance of the personal data in light of the purposes of their processing.
Article 3 – Purpose of data processing
User data are processed for the following purposes:
3.1 Delivery of services
By delivering the Service to its Employees, the Customer accepts that their personal data be processed in order to execute the Services. By using the features of SMY, the User acknowledges that their data are processed by SMY for the purposes of executing the Services and features of the Application.
The legal basis is the performance of a Contract between the Customer and Supermonday.
3.2 Access to TEAMS Calendars
The Application has access to the available time slots in User Calendars but does not have access to the content of the Calendars nor the titles and notes included in the Calendar (e.g. Name of an event outside of SMY, participants outside of SMY). The Application only sees the time ranges when the Users are available. Any time slot where they are “Unavailable” is visible to the Application without it having access to the titles of the Events.
3.3 Employee and Administrator data
Employees and Administrators must provide the following data:
- Personal details: first and last names;
- Contact details: TEAMS login details, e-mail address.
Employee and Administrator data are collected when they link their TEAMS account to the SMY Application. They are used for the following purposes:
- First and last names: used in the Employee or Administrator profiles and in messages sent (SMY invitations, meeting links); e-mail: used to forward to the User all communications relating to Events organised;
- These data are processed solely to supply the Application Services as described in the General Terms and Conditions of Use of the Application;
- All these data are also used by Supermonday in the course of a legal request submitted by the User concerning their personal data.
The legal basis is the performance of a Contract (between Supermonday and the Customer);
Contact details are used:
- To respond to requests submitted by the Employee or the Administrator to SMY (via the “Help” section);
- User data are not subject to third party use.
The legal basis is the performance of a Contract (between Supermonday and the Customer).
Each month, the Application issues a Report on use of the Application by Users (e.g. Number of SMY, frequencies, etc.). These Customer reports are never nominative and are always anonymised so that the Customer may not know how a given User makes use of the Application.
3.5 Customer access
Via its Administrators, the Customer only has access to the SMY it has created itself. The Customer may not access SMY Events initiated by an Employees, nor will it be informed of the number of SMY organised by an Employee, or how many SMY they have attended or the meetings they have had (e.g. names of peers met, list of participants in an Event). This measure is taken to protect the personal life and privacy of Employees and ensure that Employees can use the Application without limitations.
3.6 Customer data
The Customer must enter the following information:
- Customer company details: name of entity, first and last names of its representative, phone number, trading name, e-mail;
- Customer contact details: TEAMS login details
- Invoicing details: name, postal address, SEPA direct debit
Customer data are collected when the Customer enters into a Contract with Supermonday. They are used for the following purposes:
- First and last names: used in the Customer profile and in messages sent to the Customer;
- Company name: used in messages sent to the Customer;
- Phone number and e-mail: used to send messages to the Customer concerning its use of the Application Services;
- All these data are also used by Supermonday in the course of Customer Contract management (renewal, termination, price review);
- All these data are also used by Supermonday in the course of a legal request submitted by the Customer concerning their personal data.
The legal basis is the Customer’s Consent and the performance of a Contract.
Contact details are used:
- For commercial marketing. When entering into a Contract with Supermonday, the Contract is informed that its e-mail address will be used for this purpose and gives its consent to receive marketing messages. It may at any time oppose this marketing by sending a request to firstname.lastname@example.org.
The legal basis is the Customer’s Consent.
Invoicing data are used to invoice the Customer for using the Services proposed by the Application.
The legal basis is the performance of a Contract.
Customer details (name of entity, representative, address, invoicing data) are processed solely for the following purposes:
- Invoice the Customer for its Subscription;
- Manage the Contract with the Customer (renewal, termination, price amendments);
- Communicate with the Customer concerning SMY and Supermonday Services.
The legal basis is the performance of a Contract.
3.7 Statistical analysis
Supermonday reserves the right to use SMY User UX data for internal statistical purposes and to improve its Services. These data are automatically anonymised.
The legal basis is the legitimate interest of Supermonday to deliver an appropriate and improved Service to its Customers.
Article 4 – Data conservation period
We do not exceed the legal data conservation periods and Customer and User data are only conserved for the time needed to process them after collection for the purposes defined.
The conservation periods are as follows:
- Customer data: conserved for up to 5 years after the end of the business relationship with the Customer;
- User data: they are automatically erased or anonymised as soon as the Customer has terminated its contractual relationship with Supermonday;
- Customer contact details: they are conserved for up to 3 years after the last invitation sent to the Customer has remained without response, unless the Customer has exercised their right (under the GDPR) to delete their data;
- User contact details (Employees and Administrators): they are automatically erased or anonymised as soon as the Customer has terminated its contractual relationship with Supermonday;
- Customer invoicing data: conserved for up to 10 years after the end of the business relationship with the Customer for accounting, legal and regulatory purposes;
- Statistical data: conserved in anonymised form for up to 3 years after their collection by SMY;
- Exercise of rights: All data provided by the User or the Customer to Supermonday (via email@example.com) has a conservation period defined by Supermonday according to the request to exercise rights submitted by the Customer or by the User.
When creating our data processing policy, we produced a reference table for data conservation periods, based on the recommendations of French Data Protection Authority CNIL. Also, Supermonday is likely to conserve certain personal data to honour its legal or regulatory obligations, to enable Users to exercise their rights, or for statistical purposes. Such data will be deleted or anonymised on expiry of the personal data conservation period.
Article 5 – Access to data
Data collected via the SMY Application are exclusively destined for the following recipients.
5.1 Application hosting
The “SMY” Application is hosted by SCALEWAY, head office listed as 8 RUE DE LA VILLE L’EVEQUE 75008 PARIS France.
The “SMY” Application is accessible via TEAMS published by MICROSOFT FRANCE, head office located at 9 quai du Président Roosevelt, 92130 Issy-les-Moulineaux, France.
Microsoft may access the data to the limit of its respective attributions in order to host the Teams Application. It has limited access to Customer and User data in the course of delivering these Services and is contractually obliged to use them in accordance with the requirements of applicable regulations on personal data privacy.
5.2 Data hosting
User data and Application data are hosted by Scaleway, 8 rue de la Ville l’Evêque 75008 Paris, France Tel: +33 (0)184 130 000.
5.3 Third party services
The Application is automatically interconnected with the User’s Outlook account to link dates of Events and to receive notifications directly on the Outlook account. The Application does not have access to the User’s personal data on Outlook (and any third party data stored via Outlook); it can simply view the periods of availability in User Calendars.
5.4 Within Supermonday
Within the Company Supermonday, the following teams have access to certain User and Customer data (only the following data: first and last names, e-mail) under limited conditions and in respect of their assigned roles:
- Internal technical team: corrects bugs and ensures Application maintenance;
- Invoicing: manages the Contract with the Customer.
- Customer Success Manager: support for the Customer throughout the performance of the Contract to improve the Service proposed and satisfy Customer requirements
- Data Analytics Manager: responsible for generating statistical reports for the Customer, only has access to anonymised User data.
5.5 Legal obligations
Data may also be transmitted by Supermonday to third parties and applicable authorities to meet legal, judicial, fiscal or regulatory obligations. Supermonday guarantees to Users that no personal data will be disclosed to unauthorised third parties without the prior, voluntary, justified, express, and written consent of the User.
Supermonday shall not process, host or transfer data collected about its Users to a country outside of the European Union or classified as “inadequate” by the European Commission, without informing the data owner and obtaining their consent beforehand.
Supermonday reserves the right to make use of subcontractors as long as they provide guarantees of compliance in terms of personal data processing.
Article 6 – Data privacy
Supermonday has taken all useful and necessary precautions in terms of best practices to protect your data in a secure environment, to prevent destruction, loss, alteration, publication or unauthorised access. Whatever the efforts made, no online transmission methods and digital storage methods are totally secure. In consequence, we are unable to guarantee absolute security. Should we become aware of a security breach, we will inform the Users affected for them to take suitable measures. Our incident notification procedures integrate our legal obligations, whether on a national or European level.
If the integrity and privacy of your data are compromised, the data controller shall apply the procedures described by the French Data Protection Act of 6 January 1978 and the European General Data Protection regulation (GDPR).
Supermonday does not resell nor externalise User data.
Article 7 – Personal rights
By virtue of the legal provisions of the French Data Protection Act of 6 January 1978 and the General Data Protection regulation (GDPR), Users of the Application have the following rights:
7.1 Presentation of personal rights
- Right of access, rectification and deletion
The User may view, update, amend or request the deletion of their personal data by sending an e-mail to the personal data controller, stating the reason for their request, using the contact e-mail firstname.lastname@example.org.
If the User has a personal space, they may request the destruction of this space via e-mail to the data controller. The request to destroy data will be processed within 30 business days.
- Right of data portability
The User is entitled to request the portability of their personal data held by the SMY Application, to another site. They must make the request via e-mail to the data controller using the address above.
- Right of limitation and opposition to data processing
The User is entitled to request the limitation of or to oppose the processing of their personal data by the Application, without refusal possible by the Application, unless legitimate and sovereign reasons can be provided and which prevail over the rights, interests and freedoms of the User.
The User must send a request to limit the processing of their personal data to the data controller, via the e-mail address provided above.
- Right not to be subject to a decision based solely on automated processing
In accordance with the requirements of Regulation (EU) 2016/679, the User has the right not to be subject to a decision based solely on automated processing which produces legal effects concerning them or similarly significantly affects them.
- Right to determine how data are processed after death
The User is reminded that they are free to decide how their personal data may be processed after their death, in accordance with French law No. 2016-1321 of 7 October 2016.
- Right to invoke the applicable control authority
If the data controller decides not to respond to the User’s request and the User wishes to contest this decision or feel that one of their rights mentioned above has been violated, they are entitled to file a complaint with French Data Protection Authority CNIL (https://www.cnil.fr) or any judge with competence.
7.2 How to exercise your rights?
Supermonday acts as a data processor of User personal data. The Customer Company making use of Supermonday Services acts as the data controller for the data of its Employees and Users. Consequently, any User request to exercise their rights must be made directly to the appropriate department of the Customer Company.
Supermonday may provide assistance to the Customer Company to manage User requests to exercise their rights.
All requests to exercise rights sent to Supermonday will automatically be returned to the Customer Company so that it may process the request, where necessary in cooperation with Supermonday.
To exercise any of your rights, simply:
- Write a letter or an e-mail to the appropriate department of the Customer Company; or
- Write a letter to Supermonday Data Controller, 15 place Royale 78000 Versailles France; or
- Send an email to this address: email@example.com.
All requests will be handled within one month except for advanced sovereign reasons justified by Supermonday to enable an extension of the deadline.
Supermonday reserves the right to amend this Policy at any time. If changes are made to the Policy, the new validated version will immediately be published on the Teams Application. If the User does not agree with the new terms of the Policy, it will be possible for the User to no longer use the Application Services and no longer browse the Application.