1 - Who are we?
Epicentre, located at 14-34 Avenue Jean Jaurès, 75019 Paris, France - Tel: +33 (0)1 40 21 29 29, is the "Data Controller" and undertakes to ensure that the collection and processing of your "personal data" (Data) from our paper or digital collection forms (from the Epicentre website) complies with the General Data Protection Regulation (GDPR) and the French Data Protection Act, as amended.
Epicentre is committed to limiting the collection of personal data to that which is strictly necessary, in compliance with data minimisation principles.
2 - The data processing activities
2.1 - What data?
The categories of data processed include identification data to communicate with you, to get to know you better and to facilitate your relationship with Epicentre.
Our contact form:
In order to respond to your contact request via the contact form on our website, Epicentre processes the information provided on the form, i.e. your identity, your contact details and the content of the message, as well as any information communicated subsequently during our exchanges. This data is processed by the department concerned with your request for the time necessary to respond to you.
Processing your donations:
When you make a donation, a purchase, register to pass on your heritage, respond to a survey or take part in a mobilisation operation, through the Médecins sans Frontières (MSF) donation platform, they may collect:
- your bank details (excluding credit card numbers);
- your date of birth;
- information about your donation, purchase or legacy project.
Epicentre processes your Data for the purpose of reviewing and processing your application. Access to your Data is strictly limited to authorized persons at Epicentre who are in charge of managing your application. Your Data is kept according to the following rules:
- If your application is unsuccessful, your Data will be automatically destroyed 2 years after our last contact with you, leaving you the option of requesting its immediate destruction.
- If your application is successful, Epicentre will retain your Data for as long as you remain on staff and then in accordance with legal retention periods.
Epicentre's recruitment platform complies with privacy regulations. In accordance with the General Data Protection Regulation and the French Data Protection Act, you may contact Epicentre's Data Protection Officer to obtain more information and exercise your rights.
As a website manager, Epicentre may collect and share your data on social networks to manage and drive its activities. For example, we may obtain information about you from your social network accounts or services, such as LinkedIn, provided you have set up your account to give us permission to do so. Please check your settings and the privacy policies of these services for more information.
Your membership to the Epicentre association:
When you join the Epicentre association, your contact details are collected to enable us to communicate with you and manage your membership. This Data is processed securely by the association's membership department for the duration of your membership.
2.2 - What data processing activities?
Epicentre uses your Data to carry out its missions, to follow up on our exchanges, to respond to your applications, to inform you about our activities and events, and to provide you with information and management documents (for example, in the context of calls for projects or your membership to the Epicentre association).
In particular, we use your Data to enhance the effectiveness of our actions and to develop a personalized relationship with you in relation to our missions.
We do not sell or trade your information to any third party or charity.
At the bottom of each of our emails, you have the option to unsubscribe or update your preferences. You can unsubscribe at any time.
2.3 - Legal basis of our processing activities
Every organisation needs a legal basis to collect and use personal data covered by data protection legislation. The legislation allows for six ways of processing personal data (and additional ways for sensitive personal data). Four of these apply to the types of processing done by Epicentre.
- consent of the individual (e.g. to send you communications);
- the need to comply with a legal obligation (e.g. to complete our mandatory declarations if you are recruited)
- the performance of a contract (e.g. during the performance of your employment contract if you are recruited);
- the exercise of our legitimate interests (e.g. to promote our values and raise awareness of our actions) provided that such use of the data is fair and does not infringe the rights of the data subject.
2.4 - Recipients
The Data you entrust to us is only used by staff members, volunteers and service providers, within their respective limits of authority, who have been made aware of the need to protect personal data. We regularly review the list of people who have access to your information and these include:
- the various departments of Epicentre, as well as other MSF entities within the MSF international movement in the context of recruitment of employees, it being specified that this access is limited to those persons for whom it is strictly necessary to have access to your Data;
- our service providers who are subcontracted by Epicentre or MSF, under specific contracts that include confidentiality and data protection commitments ;
- the competent authorities who may request it in application of the applicable legislation.
We use service providers and subcontractors to help us perform certain services that involve the processing of your Data. Each of these services is governed by a contractual framework, particularly with regard to data protection.
2.5 - Internationnal transferts of data
Your Data may be transferred to our subcontractors who may be located outside the European Union.
In order to ensure the security and confidentiality of your Data, we ensure that all our service providers are subject to confidentiality and data protection obligations and that all transfers are made to:
- either to a country recognised by the European Commission as providing an adequate level of data protection ;
- or to a country that does not provide adequate protection but with which Data transfer have been regulated by the European Commission's standard contractual clauses and additional safeguards where necessary.
2.6 - Data retention
We do not retain your Data for longer than is necessary for the purposes for which it is processed.
These retention periods are determined based on our legal obligations and Epicentre's operational needs in relation to the processing of your Data.
Your Data is stored securely for as long as it is retained by Epicentre and may be archived securely if we are required to retain it for a longer period of time (e.g. to comply with our legal obligations).
2.7 - Data security
We take all appropriate technical and organisational measures and precautions to protect your Data from loss, misuse or alteration.
These measures include:
- all Epicentre staff are trained in the protection and security of your Data and are subject to a confidentiality agreement;
- our site is secured through the use of a TLS protocol;
- our databases are partitioned to ensure their security;
- we make regular backups of data to prevent any risk of loss or deterioration;
- all interventions on our IT environment are secure;
- we have installed means of protection for our premises and servers;
- we have implemented a data access policy to ensure that only authorised persons can access your Data.
3 - Your rights
You entrust us with your Data and we thank you for your trust. However, you have fundamental rights in relation to that Data, in particular, the right to ask us for access to the Data processed, rectification or erasure of the Data, or a restriction of the processing, or the right to object to the processing and the right to Data portability.
Where you give consent to the processing of your Data, you may withdraw that consent at any time, without prejudice to the lawfulness of the processing that based on this consent given prior to the withdrawal of such consent.
You have the right to lodge a complaint with the supervisory authority.
We detail each of your rights below and how to exercise them.
3.1 - How to exercise your rights?
In order to exercise your rights, you may contact the Data Protection Officer of Epicentre at the following address:
- Epicentre – Data Protection Officer
- 14-34 Avenue Jean Jaurès, 75019 Paris, France
- Ou via email to email@example.com
We undertake to do everything necessary to satisfy your request within one month.
If we are unable to identify you in our files from the information you have provided, we will inform you and you will be asked for further information.
Where you submit your application electronically, the information will be provided in a commonly used electronic format, unless you request otherwise.
We will systematically archive all records of your enquiries and our responses to them. These elements will be kept as evidence in the event of a complaint or audit.
3.2 - Rights of access
You have the right to obtain confirmation as to whether or not your Data is being processed by our services.
In particular, you have the right:
- to know the purpose(s) of the processing;
- to know the categories of Data concerned by the processing;
- to know the recipients or categories of recipients to whom the Data have been or will be communicated, in particular recipients who are established in third countries or international organisations;
- to know, where possible, the period for which your Data is to be kept or, where this is not possible, the criteria used to determine this period
- to lodge a complaint with a supervisory authority;
- where personal data has not been collected directly from you, to obtain information about its source;
- to be informed of automated decision-making, including profiling; and
- where your Data is transferred to a third country or to an international organisation, to obtain information on the appropriate safeguards with respect to that transfer;
You may obtain a copy of your Data being processed and we may charge a reasonable fee based on administrative costs for any additional copies requested.
Where you make your request electronically, the information will be provided in a commonly used electronic form, unless you request otherwise.
This right to obtain a copy of your Data shall not prejudice the rights and freedoms of others. To this end, we will ask you to provide us with proof of your identity.
3.3 - Right to rectification
You have the right to obtain, as soon as possible, the rectification of any Data that may be inaccurate. In view of the purposes of the processing, you have the right to have incomplete Data completed, including by providing an additional declaration.
3.4 - Right to deletion (« Right to be forgotten »)
It reflects the right to have your Data erased as soon as possible. We are obliged to erase your Data when one of the following reasons applies:
- your Data is no longer necessary for the purposes for which it was collected or otherwise processed;
- you withdraw the consent on which the processing is based and there is no other legal basis for the processing;
- you object to the processing and there is no compelling legitimate reason for the processing, or you object to the processing for the purpose of canvassing. You may exercise this right at any time, including to profiling insofar as it relates to such prospecting;
- your Data has been unlawfully processed;
- your Data must be erased in order to comply with a legal obligation under Union law or the law of the Member State to which we are subject;
- your Data was collected in the context of an offer of information society services to a child. Such processing of Data relating to a child is lawful in France where the child is at least 15 years of age (in this case, Epicentre's communication is only to individuals of legal age or to minors over 15 years of age in the context of media or awareness-raising activities);
- if we have made public Data that we are required to erase, given available technology and the costs of implementation, we will take reasonable steps, including technical steps, to inform other data controllers who process your Data that you have requested erasure, by linking to or copying or reproducing such Data.
- note, however, that this right does not apply to the extent that the processing is necessary:
- the exercise of the right to freedom of expression and information ;
- to comply with a legal obligation to process, as provided for by Union law or by the law of the Member State to which we are subject, or to carry out a task carried out in the public interest or in the exercise of official authority ;
- for archival purposes in the public interest, for scientific or historical research or for statistical purposes ;
- for the establishment, exercise or defence of legal claims.
3.5 - Right to restriction of processing
You have the right to have the processing of your Data restricted, in particular where:
- you dispute the accuracy of your Data (for a period of time that will allow us to verify the accuracy of your Data);
- the processing is unlawful and you object to the erasure of your Data by requesting the restriction of its use;
- we no longer need your Data for the purposes of the processing but it is still necessary for you to establish, exercise or defend legal claims;
- you object to the processing on the basis of your right to object, while we verify whether the legitimate grounds for processing prevail.
Where processing is restricted, your Data may, with the exception of storage, only be processed with your consent, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or on important Union or Member State public interest grounds.
A data subject who has obtained the restriction of the processing of his or her Data shall be informed before the restriction of the processing is lifted.
3.6 - Obligation of notification
We will notify each recipient to whom your Data has been disclosed of any rectification or erasure of Data or any restriction on processing unless such disclosure proves impossible or would require disproportionate effort. We will provide you with information about these recipients if you request.
3.7 - Right to data portability
You have the right to have your Data provided to us in a structured, commonly used and machine-readable format, and you have the right to transfer that Data to another data controller without our interference, where:
- the processing is based on consent or contract and ;
- the processing is carried out by automated means.
When you exercise your right to Data portability, you have the right to have your personal data transferred directly from one controller to another, where technically possible.
The exercise of the right to portability is without prejudice to the right to erasure. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
This right shall not affect the rights and freedoms of third parties.
3.8 - Right to object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your Data, including profiling.
We will then no longer process your Data, unless there are compelling legitimate grounds for the processing which override your interests and rights and freedoms, or for the establishment, exercise or defence of legal claims.
Where your Data is processed for the purpose of marketing, you have the right to object at any time to the processing of your Data, including profiling insofar as it relates to such marketing. When you object to the processing for marketing purposes, your Data will no longer be processed for such purposes.
We will present and remind you of this right to object in a clear manner, separate from any other information, at the latest at the time of the first communication.
In the context of the use of data profiling services, you may exercise your right to object to the implementation of automated processes using technical specifications.
Where Data is processed for scientific or historical research or statistical purposes, you have the right to object, on grounds relating to your particular situation, to the processing of your Data, unless the processing is necessary for the performance of a task in the public interest.
3.9 - Automated individual decision making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which would produce legal effects or significantly affect you.
This right does not apply if the decision:
- is necessary for the conclusion or performance of a contract between the data subject and a controller;
- is authorised by Union law or the law of the Member State to which we would be subject and which also provides for appropriate measures to safeguard rights and freedoms and legitimate interests; or
- is based on your express consent.
Epicentre implements appropriate measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on our part, to express your views and to challenge the decision.
These decisions may not be based on particular categories of Data unless appropriate measures to safeguard rights and freedoms and legitimate interests are in place.
3.10 - Complaint
You have the right to lodge a complaint with a supervisory authority.
The French data protection authority is the Commission nationale de l’informatique et des libertés (CNIL) - 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 - +33 (0)1 53 73 22 22.
3.11 - Data source
Where we process Data about you that you have not provided directly to us from another non-public source, we will tell you from which source your Data has been made available to us.
4 - When do we update this policy?
If we change this policy, we will post the revised version here, with an updated revision date.