Personal data – Training management
The training activities of the company Allergy Free involve the processing of personal data relating to participants and individuals wishing to pre-register for a training programme.
What is this personal data use policy about?
This policy informs you, as a participant (or potential participant) in Allergy Free training programmes, about the characteristics of these data processing activities and your rights regarding your personal data.
This privacy policy is drafted in accordance with French Law No. 78-17 of 6 January 1978 (known as the “Data Protection Act”) and the General Data Protection Regulation (“GDPR”) No. 2016/679.
Who is responsible for this policy?
The data controller is the company Allergy Free, represented by its legal representative Andrea Kuper.
The contact details of the data controller are as follows: 15 rue de l’Annonciade, 69001 Lyon, France.
The data controller can be reached by phone at: +33 (0)4 72 73 03 68.
The contact email address is:
Who is this policy intended for?
This policy applies to participants in training programmes related to the Total Reset Method (TRM).
Purposes (why the data are collected)
The data processing is carried out for the following purposes:
- management of training registrations and delivery;
- creation and management of the learner’s account on the Allergy Free school extranet;
- evaluation of participant satisfaction;
- Allergy Free may also send emails relating to loyalty initiatives and/or commercial prospecting (conferences, workshops, courses or training programmes).
Legal basis for processing: what gives us the right to process the data
The legal basis for the processing is the training contract concluded with the participants.
For loyalty initiatives and/or commercial prospecting activities, the legal basis is the implementation of pre-contractual measures, the concluded contract, and subsequently legitimate interest. Consent is the legal basis when the data subject is a former participant of more than three years.
Data retention period
Data subject to processing are retained for no longer than is necessary for the purposes for which they are collected (principle of data minimisation).
Your data are retained for a period of 10 years for the purpose of providing proof of the training activity.
Data processed
The data controller processes the following categories of data:
- Civil status, identity and identification data (surname, first name, address, telephone number, email address);
- Professional life data (professional situation, company registration number, employer, training courses, levels, assessments, training certificates, etc.);
- Feedback on satisfaction following the training;
- Connection data: username, name, assessments.
Mandatory or optional nature of data collection
The data collected are mandatory in order to carry out the purposes of the processing, except for the company registration number and company name in the case of pre-registration requests.
Sources of data
Data are provided directly by the data subject, except in certain cases: funding bodies, employment services, or the employer.
Recipients of the data
Depending on their respective needs, all or part of the data may be disclosed to third-party recipients such as funding bodies, employment services, or the employer.
Learners have access to a platform for the completion, monitoring and invoicing of training. This platform is operated by Digiforma, and the data processed are detailed in the following policy:
https://www.digiforma.com/rgpd_pour_les_utilisateurs_digiforma/
What security measures are in place?
The data controller implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
The data controller also takes measures to ensure that any natural person acting under the authority of the data controller or the processor who has access to personal data processes such data only on the instructions of the data controller, unless required to do so by law.
Existence of data transfers outside the European Union and associated safeguards
Digiforma servers are located in Europe (Ireland) in the AWS data centre via the web application hosting provider Heroku.
When Digiforma uses a solution that transfers personal data to the United States, it ensures that Standard Contractual Clauses (SCCs) have been signed or that the solution provider is a signatory to the “Data Privacy Framework”, the US regulatory framework for personal data protection adopted by the European Commission on 13 July 2023.
List of solution providers participating in the Data Privacy Framework:
https://www.dataprivacyframework.gov/s/participant-search
Adequacy decision adopted by the European Commission:
https://www.cnil.fr/fr/transferts-de-donnees-vers-les-etats-unis-la-commission-europeenne-adopte-une-nouvelle-decision
Automated decision-making
The processing does not involve fully automated decision-making.
Fate of personal data after death – Right of access, rectification, erasure and data portability
Data subjects may define instructions regarding the retention, erasure and disclosure of their personal data after their death. These instructions may be general or specific.
Data subjects also have the right of access, objection, rectification, erasure and, under certain conditions, portability of their personal data. Data subjects have the right to withdraw their consent at any time where consent is the legal basis for processing.
Requests must indicate the data subject’s surname and first name, email or postal address, and must be signed and accompanied by a valid proof of identity.
These rights may be exercised by contacting:
Andrea Kuper, 15 rue de l’Annonciade, 69001 Lyon, France,
Complaint
Data subjects have the right to lodge a complaint with the supervisory authority (CNIL):
https://www.cnil.fr/fr/webform/adresser-une-plaint
