I'm a french departmeent

1 - Details of the data controller

When our customers use our Services, we collect and process certain information on their behalf. Our customers are therefore responsible for data processing, in accordance with Article 4 of the GDPR. SoWeSoft, as a service provider, acts as a processor.

As such, we are committed to helping our customers in their efforts to ensure the compliance of their processing activities.

If you are unable to contact the data controller, you may contact SoWeSoft’s DPO:

Fabrice BROCHU
SoWeSoft
10 allée Georges Noé, 44860 St Aignan Grand Lieu, France
dpo@sowesoft.com

2 - Objectives

Clearly describe the purpose of the personal data processing and its functionalities.

The personal data collected by SoWeSoft in the course of carrying out its mission to digitalize processes is necessary for the performance of the contractual commitments accepted by the customer.

The purposes for which SoWeSoft processes data are as follows:

  • Accurate and automated recording of participants’ attendance at training sessions.

  • Generation of attendance certificates for trainers and training managers.

  • Real-time monitoring of participants’ attendance throughout training sessions.

  • Automation of administrative processes related to the management of attendance and absences.

  • Collection of information on participants’ performance during training.

  • Monitoring of learners’ progress throughout training programs.

  • Analysis of evaluation data to identify the strengths and areas for improvement of training programs.

  • Remote evaluations for online or hybrid training courses, thereby facilitating access and participation for learners.

  • Accurate and automated monitoring of RSA beneficiaries’ participation in mandatory follow-up activities.

  • Generation of follow-up reports for departments.

  • Real-time monitoring of RSA beneficiaries’ involvement in training and professional integration programs.

  • Automation of administrative processes related to the monitoring of RSA beneficiaries’ activities.

  • Improvement of data traceability and confidentiality compared with traditional monitoring methods.

  • Analysis of monitoring data to assess the effectiveness of professional integration and training initiatives intended for RSA beneficiaries.

Legal basis for the processing of personal data

SoWeSoft processes personal data on the basis of the performance of a contract. When a user enters into a contractual relationship with SoWeSoft, SoWeSoft collects and uses the personal data required to provide the requested services or products, as well as to manage and perform the relevant contract.

As part of the performance of the software agreement, SoWeSoft may collect personal data such as the user’s name, email address, configuration preferences, and other information necessary for the customization and maintenance of the software. See section 5. Categories of data collected for further details.

SoWeSoft processes personal data only to the extent necessary for the performance of the software license agreement. This data is used to ensure that the software complies with the agreed specifications, to provide effective technical support, and to ensure the continued proper functioning of the software.

It is important to note that personal data processed under the software license agreement is strictly used for the purpose of providing the agreed software services and is not shared with third parties without the user’s explicit consent.

3 - Categories of people concerned

The data processing concerns users of the SoWeSoft solution via the following 2 platforms: 

  • Corporate Application  
  • SWS Manager  

The users identified are : 

  • The Trainers for Collective Training Actions
  • The Participants in the Training
  • The Software Administrators (System Managers)
  • The Human Resources Managers
  • The RSA Beneficiaries Being Followed by the Department, Whether Funded or Not by the ESF (European Social Fund)
  • The Department's Referrals in Charge of Supporting the Beneficiaries
  • The External Organization's Referrals Responsible for Supporting These Beneficiaries

4 - Categories of data collected

Data concerning the “Training Learner” profile

  • Identification data: first name, last name, gender, date of birth, place of birth
  • Contact data: landline phone, mobile phone, email address, postal address
  • Training-related data
  • Professional life data
  • Personal life data: disability, parents' place of birth
  • Connection data

Data concerning the “RSA Beneficiary” profile

  • Identification data: first name, last name, gender, date of birth, place of birth
  • Contact data: landline phone, mobile phone, email address, postal address
  • Training-related data
  • Job search data
  • Professional life data
  • Personal life data: disability, parents' place of birth
  • Connection data

Data concerning the “Trainer” profile

  • Identification data: first name, last name, address
  • Contact data: landline phone, mobile phone, email address
  • Connection data

Data concerning the profiles of “Software Managers,” “Department Referrals in charge of supporting beneficiaries,” and “HR Managers”:

  • Identification data: first name, last name
  • Contact data: landline phone, mobile phone
  • Support-related data: Department or service in charge, professional status, history of interactions with RSA beneficiaries, comments or feedback on the support of beneficiaries
  • Connection data

Are sensitive data processed?

The collection of certain data, particularly sensitive data, is strictly regulated by GDPR and requires special attention. This includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership, genetic and biometric data, data concerning health, sexual life or sexual orientation, criminal convictions or offenses, as well as the unique national identification number (NIR or social security number).

X Yes  No

If yes, which ones?: disability status

SOURCE OF THE DATA

The data is collected through provision by the client. This may include, among other things, the connection of the SoWeSoft software to an ERP system, provision of files containing personal data, and manual entries in the software (non-exhaustive list).

Data may also be collected during the connection to applications and the completion of forms.

OBLIGATORY NATURE OF DATA COLLECTION

The collection of certain data may be mandatory to ensure the achievement of specific data processing objectives. Data necessary for the execution of contracts, as specified in section 5, Categories of collected data, may be considered mandatory to guarantee the agreed-upon services. Similarly, data necessary for the efficient management of activities, such as contact information for various stakeholders, may be required to ensure smooth communication and proper follow-up.

 

5 - Retention period for categories of data

How long do you keep this information? 

The above-mentioned data is kept for 10 years for legal reasons. 

If the contractual relationship with the customer is terminated, the data is provided to the customer before being deleted from SoWeSoft's databases. 

6 - Categories of data recipients

Customers

The data controller and all individuals authorized by the data controller.

Internal recipients 
(examples: entity or department, categories of authorised persons, IT department, etc.) 

  • Software development team 
  • Technical support team 
  • Data management and information security team 
  • Team of consultants responsible for monitoring the project 

Subcontractors  
(Examples: hosting providers, IT maintenance providers, etc.) 

  • Data hosting service providers 
  • Third-party maintenance and support service providers 
  • Third-party software development service providers for specific functionalities 
     

7 - Data transfers outside the EU

Are personal data transmitted outside the European Union? 

    Yes  X NO

Personal data is not transferred outside the European Union. It is stored on hosting servers located in the European Union, or in third countries that guarantee the protection of personal data under conditions that are equivalent to those in the European Union. 

8 - Safety measures

SoWeSoft implements appropriate technical and organizational measures to ensure, on an ongoing basis, a level of protection adapted to the risks affecting individuals’ privacy, in particular the risks of unauthorized access to personal data, disclosure, destruction, or unlawful use of data.

User access control

To ensure the protection of personal data in accordance with the GDPR, SoWeSoft has implemented the following measures regarding user access control:

  • Identification and authentication of users through unique identifiers and strong passwords.

  • Implementation of access management procedures to ensure the rapid revocation of access rights in the event of a user’s departure or change of responsibilities.

  • Continuous monitoring of authorized users’ activities to detect and prevent any misuse or unauthorized use of data.

Traceability measures

To ensure the traceability of operations carried out on personal data, SoWeSoft has implemented the following measures:

  • Logging of all operations carried out on personal data, including access, modifications, and deletions.

  • Retention of activity logs for a defined period in accordance with legal data retention requirements.

Software protection measures

To ensure the security of the personal data processed, SoWeSoft has implemented a set of measures designed to protect the software used for data processing. These measures include, in particular:

  • Security testing, including vulnerability testing and penetration testing, to assess the resilience of the software against potential attacks and to identify and correct any security vulnerabilities.

  • Continuous monitoring of the software environment to detect and respond quickly to any anomalies or suspicious activities that could compromise the security of personal data.

Data encryption

To ensure the confidentiality of personal data, SoWeSoft has implemented the following encryption measures:

  • Encryption of personal data in transit, particularly when transmitted over internal and external networks.

  • Encryption of personal data at rest, particularly when stored on physical or virtual storage devices.

Control of subcontractors

To ensure that subcontractors comply with personal data protection requirements, SoWeSoft has implemented the following measures:

  • Rigorous selection of subcontractors based on their ability to guarantee an adequate level of protection for personal data.

  • Signing of contracts including specific clauses relating to the protection of personal data in accordance with GDPR requirements.

  • Regular monitoring of subcontractors to verify their compliance with contractual and regulatory requirements relating to the protection of personal data.

Other measures

In addition to the measures mentioned above, SoWeSoft has also implemented the following measures to strengthen the security of personal data:

  • Employee awareness training on best practices for personal data protection.

  • Regular security audits to continuously assess and improve our data security posture.

9 - Your rights regarding your personal data

Any person concerned by the processing of his or her data may access it and obtain a copy, have it rectified, request that the processing be restricted and, under certain conditions, object to the processing of the data or have it deleted. 

  1. Exercising your rights (contact details of the Data Protection Officer) 

    To exercise these rights or if you have any questions about the processing of your data under this system, you can contact the administrator by e-mail: dpo@sowesoft.com
     
  2. Complaints to the CNIL

    If you believe, after contacting the Data Protection Officer, that your data protection rights have not been respected, you can file a complaint with the CNIL (National Commission on Informatics and Liberty):

    Address: 3 place Fontenoy – TSA 80715 – 75334 Paris Cedex 07
    Phone: +33 1 53 73 22 22
    Website: www.cnil.fr