Merry Christmas

Personal Data Protection Policy (PDPP)

1 – Introduction

This Personal Data Protection Policy (hereinafter “PDPP”) defines the principles and practices adopted by Clinreal to ensure the protection of personal data collected and processed as part of its activities.
Clinreal is committed to complying with the General Data Protection Regulation (GDPR) as well as all other applicable regulations relating to the protection of personal data.
The annexes to this policy detail the specific processing carried out for each concerned group and may be consulted according to the needs.

 

2 – Definitions

Definitions and acronyms:

  • CNIL: Commission Nationale de l’Informatique et des Libertés (French Data Protection Authority)
  • DPO: Data Privacy Officer
  • GED: Electronic Document Management
  • PAS: Security Assurance Plan
  • GDPR: General Data Protection Regulation
  • IS: Information Systems
  • PRA: Disaster Recovery Plan
  • PCA: Business Continuity Plan

 

3 – Objective

The PDPP aims to ensure that personal data is collected, used, stored, and protected in accordance with legal requirements and best practices relating to confidentiality and security.

 

4 – Scope of Application

The PDPP applies to all personal data collected and processed in the context of relationships with:

  • Website users
  • Clients
  • Suppliers and subcontractors
  • Employees

Specific policies detail the data processing for each concerned group (see Annex 1).

 

5 – Client and Supplier Privacy Policy

As part of its relationships with clients, suppliers, and subcontractors, Clinreal collects and processes specific personal data, including information on individuals representing suppliers, their contact details, and information relating to contract execution.
For further details, please consult the Client, Supplier, and Subcontractor Privacy Policy.

 

6 – Employee Privacy Policy

Clinreal employees are also subject to the processing of personal data related to human resources management (recruitment, contracts, payroll, training, security, etc.). This policy ensures that all employee personal data is processed securely and in compliance with legal requirements.
For further details, please consult the Employee Privacy Policy.

 

7 – Vigilance Privacy Policy

As part of our commitment to data security and vigilance, we implement measures to monitor and protect our information systems. This includes collecting and processing personal data related to the management of adverse health events and the monitoring of compliance with internal policies and legal requirements.
For more details, please consult the Vigilance Privacy Policy.

 

8 – General Principles

Clinreal undertakes to comply with the following fundamental principles:

  • Legality, loyalty, and transparency: Datas are collected and used lawfully, fairly, and transparently. Individuals are informed of the purpose and conditions of processing.
  • Purpose limitation: Personal datas are collected solely for clear, legitimate, and explicitly defined purposes.
  • Data minimisation: Only data strictly necessary to achieve these purposes is collected and processed.
  • Accuracy: We ensure that datas are accurate and up to date. You may request their correction if needed.
  • Storage limitation: Datas are retained only for the necessary duration unless otherwise required by law.
  • Data security: Technical and organisational security measures protect your data against unauthorised access, loss, alteration, or disclosure.

 

9 – Rights of Data Subjects

In accordance with the GDPR, individuals have the following rights:

  • Access: Obtain a copy of the processed data.
  • Rectification: Correct inaccurate data.
  • Erasure: Request data deletion under certain conditions.
  • Restriction: Limit data processing in specific cases.
  • Portability: Receive data in a structured format or transmit it to a third party.
  • Objection: Refuse processing, unless justified by legitimate grounds.

Requests may be addressed to Clinreal (see contact details at the end of the document).

 

10 – Data Security

Clinreal is committed to implementing technical and organisational measures to protect personal data, including information system security, security incident management, and carrying out audits to ensure compliance with security standards.

 

11 – Subcontracting and Partnerships

Clinreal may use subcontractors who contractually agree to comply with security and confidentiality requirements. Controls ensure their compliance.

 

12 – Policy Updates

Clinreal undertakes to keep this Personal Data Protection Policy (PDPP) up to date to reflect legal, regulatory, or organisational developments. Updates are published on our website.
We invite you to consult this policy regularly. The applicable version is the one published on our website at the time of your consultation.

 

13 – Contact

For any questions regarding this policy or to exercise your rights (access, rectification, deletion, objection, etc.), you may contact our Data Protection Officer (DPO):

Postal address : 66 avenue de l’URSS, 31400 Toulouse
Email : dpo@clinreal.com

We commit to responding promptly and in accordance with GDPR requirements.

 

Annexe 1 : Personal Data Protection Policies

Policy
Data Collected
Purpose
Data Sharing
Retention Period
PCU : User Privacy Policy
 Identity, IP address, login data, visited pages Online services management, user experience improvement Technical subcontractors, competent authorities Technical logs: 1 year; Form data: max. 2 years
PCC : Client, Supplier & Subcontractor Privacy Policy
 Identity, contact details, preferences, contractual data Contract management, compliance with legal obligations Third-party providers, banks, legal authorities Contract duration + regulatory obligations
PCV: Vigilance Privacy Policy
 Health data, identity, usage habits Management of vigilance (cosmetovigilance, nutrivigilance, materiovigilance) Subcontractors (doctors, translators), health authorities 1 year (unless legally required otherwise)
PCS: Employee Privacy Policy
 Administrative, financial, professional data HR management: payroll, training, legal compliance HR providers, legal authorities, insurers Contract duration + legal time limits

Policies may be updated to reflect changes in legislation or Clinreal practices. Users are invited to consult them regularly.

 

User Privacy Policy

 

1- Purpose

Ensure the confidentiality and protection of personal data collected during users’ visits and interactions with the website.

 

2- Data collected

Types of personal data collected include :

  • Identity: First and last name (if submitted via forms)
  • Contact information: Email, phone (if applicable)
  • Technical data:
    • IP address
    • Browser type and version
    • Operating system
    • Connection data (date/time)
    • Pages visited, visit duration, clicks
  • Form data: Messages or specific requests submitted by users

 

3- Purposes of Processing

Data is used to:

  • Provide requested services :
    • Respond to requests submitted through contact forms or other website communication tools.
  • Improve user experience :
    • Analyse interactions to optimise navigation and functionalities.
    • Produce anonymised usage statistics to improve the website.
  • Comply with legal and security obligations :
    • Prevent and detect security incidents.
    • Respond to legal requests from authorities in accordance with the regulation in force.

 

4- Sharing of Your Data 

Personal data may be shared with:

  • Technical subcontractors:
    Service providers involved in hosting, maintenance, or site analysis.
  • Competent authorities:
    In cases of legal obligation or to respond to judicial investigations.

 

5- Data Retention

The retention period varies depending on the nature of the data collected :

  • Form data : Up to 2 years after last interaction with the user.
  • Technical logs (connexion journal) : Retained for a period of 1 year for security and regulatory compliance purposes.

 

6- Use of Cookies

Cookies are used on the website to:

  • Ensure essential functioning : Secure and smooth navigation (essential cookies)
  • Analyse website use : provide with Anonymous statistics to improve content and performance (analytics cookies).

Cookie management:
When visiting the site for the first time, a cookie information banner is displayed. Users can:

  • Accept or refuse the use of analytical cookies.
  • Modify their preferences at any time via a cookie management link available on the site.

 

7- User Rights

In accordance with the GDPR, each user has the following rights regarding their personal data :

  • Access : Obtain a copy of the data collected and processed.
  • Rectification : Modify or update inaccurate information.
  • Erasure : Request the deletion of data, subject to legal obligations.
  • Restriction : Temporarily restrict the processing of certain data.
  • Objection : Refuse the processing of data for specific purposes.
  • Portability : Receive their data in a structured format or request its transfer to a third party.

Exercising your rights :
Requests may be addressed to Clinreal using the following contact details:

Postal address: 66 avenue de l’URSS, 31400 Toulouse
Email: dpo@clinreal.com

 

8- Data Security

Rigorous technical and organisational measures are implemented to protect the data collected, including :

  • Encryption of communications via the HTTPS protocol.
  • Secure storage of data on servers that comply with current security standards.
  • Regular monitoring and audits to detect and prevent any security incidents.

This User Privacy Policy is subject to updates to reflect legal or technical developments. We encourage users to review it regularly.

 

Last updated: June 22, 2024.

 

 

Client, Supplier, and Subcontractor Privacy Policy

 

This policy explains how Clinreal processes the personal data of its Clients, partners, subcontractors, suppliers and their employees as part of its business relationships. Each Client, Supplier or Subcontractor must share this policy with their relevant employees and subcontractors.

This privacy policy is linked to Clinreal’s Personal Data Protection Policy (PDPP).

 

 

1- Responsible of Data Processing

Clinreal, whose registered office is located at 66 avenue de l’URSS, 31400 Toulouse, is responsible for processing personal data relating to its suppliers and subcontractors.

 

 

2- Personal Data Collected

As part of the commercial relationship, Clinreal may collect the following data :

  • Identification : Name, job title, contact details (email, phone number), employer.
  • Specific data : Dietary preferences for events, information related to legal compliance (anti–money laundering and anti-corruption requirements).
  • Other relevant data: Any information necessary for the management of our contract or business relationship.
  •  

3- Purposes of Data Processing

Clinreal processes your personal data for:

  • Administrative and contractual management (contracts, invoices, payments) – necessary for the performance of the contract.
  • Compliance with laws and legal obligations (e.g., anti-money laundering measures) – based on our legal obligations.
  • Legal protection in the event of a dispute – to protect our legitimate interests.
  • Organisation of events (meals or others) – with your consent for certain types of data.
  •  

4- Sharing of Your Data

Your personal data may be shared with :

  • Third-party service providers (maintenance, logistics, marketing, linguistic services, etc.).
  • Professional advisors (lawyers, auditors, accountants).
  • Legal and administrative authorities.
  • Insurers or banks.

Transfers outside the EEA: If necessary, such transfers will be secured using Standard Contractual Clauses approved by the European Commission.

 

 

5- Data Retention Period

Clinreal retains your personal data for as long as necessary for :

  • Contract management.
  • Compliance with legal obligations (archiving in accordance with applicable regulations).

After this period, the data is deleted or anonymised.

 

 

6- Data Security

Clinreal applies technical and organisational measures to protect your data against unauthorised access, loss, or accidental alteration.

 

 

7- Your Rights

You have the following rights regarding your personal data :

  • Withdrawal of consent (for processing based on consent).
  • Access : To consult the data concerning you.
  • Rectification : To correct or update your data.
  • Erasure : To request the deletion of certain data, unless a legal obligation prevents it. We are not required to comply with your deletion request if :

– The processing is necessary to comply with a legal obligation (e.g., tax, social, or administrative obligations).

– The data is required for the establishment, exercise, or defence of legal claims (for example, in the event of an ongoing dispute or claim).

  • Restriction: To limit the processing of your data in certain cases (e.g., when contesting accuracy).
  • Objection: To refuse processing based on Clinreal’s legitimate interest, unless legally required.
  • Portability: To receive your data in a structured format or have it transmitted to a third party.

You may also lodge a complaint with the CNIL (www.cnil.fr) if you believe your rights are not being respected.

 

 

8- Contact

For any questions or to exercise your rights, please contact us at :

Postal address: 66 avenue de l’URSS, 31400 Toulouse
Email: dpo@clinreal.com

 

Last update: 6 March 2024.

 

This policy may be amended to reflect changes in legislation or Clinreal’s practices.

We invite you to consult our privacy policy regularly to remain informed.

 

Privacy Policy Vigilance (Cosmetovigilance, Nutrivigilance, Material Vigilance)

 

This policy explains how Clinreal, acting as a subcontractor for its clients (“Clients”), collects, uses, and protects personal information related to the reporting of adverse health events occurring after the use of products distributed by its Clients.

 

 

1- Role of Clinreal

Vigilance service:
Clinreal provides manufacturers of cosmetic products, food supplements, and medical devices with a service dedicated to monitoring adverse health events.

Clients’ obligations:
Clients must monitor and report these events in accordance with applicable regulations (e.g., European Regulation 1223/2009 for cosmetics, or any national legislation relating to Cosmetovigilance, Nutrivigilance, Materiovigilance, as well as regulations applicable in non-European countries).

 

 

2- Data Collected

When an adverse health event is reported, the Client and Clinreal collect the information necessary to analyze and manage the case:

  • Identification: First name, last name, email, phone number, etc.
  • Health: Illnesses, allergies, medical results, etc.
  • Habits and characteristics: Products used, skin type, ethnic origin if necessary.
  • Personal life: If the event concerns a relative.

This data may come from a questionnaire or be supplemented by experts (doctors, linguists, etc.).

 

 

3- Data Sharing

  • With subcontractors :
    Clinreal may work with subcontractors (for example, physicians or translators) to process your data confidentially and in full compliance with applicable regulations.
  • With competent authorities :
    The data may be transmitted to national or international health authorities to fulfill the legal obligation to report serious adverse health events.

 

4- Data Retention Period

  • Data is retained for 1 year, unless a longer legal retention period is required.
  • Once this period expires, the data is either transferred to the Client and/or anonymized.

 

5- Legal Bases

  • Legitimate interest :  Responding to your report.
  • Public interest mission : Reporting to health authorities.

Some information is mandatory (indicated with an asterisk), while other information is optional.

 

6- Your Rights

Within the limits provided by law, you may :

  • Access your data;
  • Correct or complete it;
  • Restrict its processing in certain cases (e.g., accuracy verification);
  • Define how your data should be handled after your death.

Certain restrictions apply if the processing is based on a legal obligation.

You may also file a complaint with the CNIL (3 Place de Fontenoy, 75007 Paris), the French data protection authority, if you believe your rights are not being respected.

 

7- Contact

For any questions or to exercise your rights, please contact us at:

Postal address: 66 avenue de l’URSS, 31400 Toulouse
Email: dpo@clinreal.com

 

Last update: 20 June 2024

This policy may be amended to reflect changes in legislation or in Clinreal’s practices.
We encourage you to regularly consult our privacy policy to remain informed.

 

Employee Privacy Policy

 

This policy explains how Clinreal collects, uses, and protects the personal data of its employees, in accordance with applicable data protection laws, including the GDPR. This privacy policy is linked to Clinreal’s Personal Data Protection Policy (PDPP).

 

 

1- Responsible of Data Processing

Clinreal, whose registered office is located at 66 avenue de l’URSS, 31400 Toulouse, is responsible for the processing of your personal data.

 

2- Personal Data Collected

As part of your employment relationship, Clinreal may collect the following data :

  • Identification data: First name, last name, date of birth, address, social security number, contact details.
  • Professional information: Position, employment contract, performance evaluations, completed training.
  • Financial information: Salary, bank account details, documents related to employee benefits.
  • Health data: Medical certificates, accommodations related to a disability (within the limits allowed by law).
  • Connection data: Access to Clinreal’s information systems (within a strictly professional framework).
  • Legal compliance data: Professional background checks, if necessary.
  •  

3- Purposes of Data Processing

  • Administrative and HR management : Payroll, contract management, leave, training, performance evaluations.
  • Legal compliance : Social declarations, management of work-related accidents, compliance with employment law.
  • Security and access : Management of badges/video surveillance at the office 66 URSS site, access to informatic systems (NAS, business applications, etc.).
  • Improvement of working conditions : Organization of training or specific measures.
  • Dispute management : Protection of Clinreal’s rights in the event of litigation.

  1.  

4- Sharing Your Data

Your personal data may be shared with :

  • HR service providers (lawyers, accountants, etc.): Payroll management, training tools, employment contract management, or other necessary services.
  • Legal authorities: URSSAF, tax authorities, or any other competent authority.
  • Insurers: For health coverage, provident funds, or other benefits.
  • IT subcontractors: Management of professional tools (emails, HR software).

Transfers outside the EEA:
If a transfer outside the European Economic Area is necessary, Clinreal will ensure that standard contractual clauses or other recognized legal mechanisms are applied.

 

5- Data Retention Period

Clinreal retains your personal data for as long as necessary for :

  • The management of your employment contract and associated legal obligations.
  • If your employment ends, your data is archived to comply with legal requirements or until the expiration of statutory retention periods.

Once these periods have expired, your data is deleted or anonymized.

 

6- Data Security

Clinreal implements technical and organizational measures to protect your data against unauthorized access, loss, or accidental alteration.

 

7- Your Rights

You have the following rights regarding your personal data :

  • Access: View the data collected concerning you.
  • Rectification: Correct or update your data.
  • Erasure: Request the deletion of certain data, subject to legal obligations.

Clinreal is not required to comply with your request for erasure if:

– The processing is necessary to comply with a legal obligation (e.g., tax, social, or administrative requirements).

– The data is necessary for the establishment, exercise, or defense of legal claims (for example, in the event of a dispute or ongoing claim).

  • Restriction: Limit the processing of your data in certain cases (e.g., contesting accuracy).
  • Objection: Refuse processing based on Clinreal’s legitimate interest, unless legally required.
  • Portability: Receive your data in a structured format or transfer it to a third party.

You may also lodge a complaint with the CNIL (www.cnil.fr),the French data protection authority, if you believe that your rights are not being respected.

 

8- Contact

For any questions or to exercise your rights, please contact us at:

Postal address : 66 avenue de l’URSS, 31400 Toulouse

Email : dpo@clinreal.com

 

Last update : 22 April 2024.

This policy may be amended to reflect changes in legislation or Clinreal’s practices.

We encourage you to regularly consult our privacy policy to stay informed.