I am a Spanish client in the context of FUNDAE.

1 - Details of the data controller

When our customers use our Services, we collect and process certain information on their behalf. Our customers are therefore responsible for data processing, in accordance with Article 4 of the GDPR. SoWeSoft, as a service provider, acts as a processor.

As such, we are committed to helping our customers in their efforts to ensure the compliance of their processing activities.

If you are unable to contact the data controller, you may contact SoWeSoft’s DPO:

Fabrice BROCHU
SoWeSoft
10 allée Georges Noé, 44860 St Aignan Grand Lieu, France
dpo@sowesoft.com

2 - Objectives

Clearly describe the purpose of the personal data processing and its functionalities.

The personal data collected by SoWeSoft in the course of carrying out its mission to digitalize processes is necessary for the performance of the contractual commitments accepted by the customer.

The purposes for which SoWeSoft processes data are as follows:

  • Accurate and automated recording of participants’ attendance at training sessions.

  • Generation of attendance certificates for trainers and training managers.

  • Real-time monitoring of participants’ attendance throughout training sessions.

  • Automation of administrative processes related to the management of attendance and absences.

  • Collection of information on participants’ performance during training.

  • Monitoring of learners’ progress throughout training programs.

  • Analysis of evaluation data to identify the strengths and areas for improvement of training programs.

  • Remote evaluations for online or hybrid training courses, thereby facilitating access and participation for learners.

  • Compliance with the regulatory and administrative obligations in force in Spain regarding the management of professional training, in particular within the framework of FUNDAE.

Legal basis for the processing of personal data

SoWeSoft processes personal data on the basis of the performance of a contract. When a user enters into a contractual relationship with SoWeSoft, SoWeSoft collects and uses the personal data required to provide the requested services or products, as well as to manage and perform the relevant contract.

As part of the performance of the software agreement, SoWeSoft may collect personal data such as the user’s name, email address, configuration preferences, and other information necessary for the customization and maintenance of the software. See section 5. Categories of data collected for further details.

SoWeSoft processes personal data only to the extent necessary for the performance of the software license agreement. This data is used to ensure that the software complies with the agreed specifications, to provide effective technical support, and to ensure the continued proper functioning of the software.

It is important to note that personal data processed under the software license agreement is strictly used for the purpose of providing the agreed software services and is not shared with third parties without the user’s explicit consent.

3 - Categories of people concerned

The data processing concerns users of the SoWeSoft solution via the following 2 platforms: 

  • Corporate Application  
  • SWS Manager  

The users identified are : 

  • Trainers for collective training courses 
  • Training participants 
  • Software managers (administrators) 
  • Human resources managers 

4 - Categories of data collected

Data concerning the "Learner in training" profile

  • Identification data: first name, last name, gender, date of birth, place of birth
  • Contact data: landline phone, mobile phone, email address, postal address
  • Data related to training
  • Data related to professional life
  • Data related to personal life: disability, place of birth of parents
  • Connection data
  • Data regarding socio-professional categories and education level

Data concerning the "Trainer" profile

  • Identification data: first name, last name, address
  • Contact data: landline phone, mobile phone, email address
  • Connection data

Data concerning the "Software Managers" and "HR Managers" profiles

  • Identification data: first name, last name
  • Contact data: landline phone, mobile phone
  • Connection data

Are sensitive data being processed?
The collection of certain data, particularly sensitive data, is strictly regulated by the GDPR and requires special attention. This includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic and biometric data, data concerning health, sexual life, or sexual orientation, data related to criminal convictions or offenses, as well as the unique national identification number (NIR or social security number).


X Yes  No
If yes, which ones?: the NIR

SOURCE OF DATA
The data is collected through provision by the client. This may include, among other things, the connection of the SoWeSoft software to an ERP system, the provision of files containing personal data, as well as manual entries into the software (non-exhaustive list).

Data may also be collected when connecting to the applications and filling out forms.

MANDATORY NATURE OF DATA COLLECTION

The collection of certain data may be mandatory to ensure the achievement of specific data processing objectives. Data necessary for the execution of contracts, such as those specified in point 5, "Categories of collected data," may be considered mandatory to guarantee the delivery of agreed services. Similarly, data necessary for the efficient management of activities, such as contact information for various stakeholders, may be required to ensure smooth communication and proper follow-up.

5 - Retention period for categories of data

How long do you keep this information? 

The above-mentioned data is kept for 10 years for legal reasons. 

If the contractual relationship with the customer is terminated, the data is provided to the customer before being deleted from SoWeSoft's databases. 

6 - Categories of data recipients

Customers

The data controller and all individuals authorized by the data controller.

Internal recipients 
(examples: entity or department, categories of authorised persons, IT department, etc.) 

  • Software development team 
  • Technical support team 
  • Data management and information security team 
  • Team of consultants responsible for monitoring the project 

Subcontractors  
(Examples: hosting providers, IT maintenance providers, etc.) 

  • Data hosting service providers 
  • Third-party maintenance and support service providers 
  • Third-party software development service providers for specific functionalities 
     

7 - Data transfers outside the EU

Are personal data transmitted outside the European Union? 

    Yes  X NO

Personal data is not transferred outside the European Union. It is stored on hosting servers located in the European Union, or in third countries that guarantee the protection of personal data under conditions that are equivalent to those in the European Union. 

8 - Safety measures

SoWeSoft implements appropriate technical and organizational measures to ensure, on an ongoing basis, a level of protection adapted to the risks affecting individuals’ privacy, in particular the risks of unauthorized access to personal data, disclosure, destruction, or unlawful use of data.

User access control

To ensure the protection of personal data in accordance with the GDPR, SoWeSoft has implemented the following measures regarding user access control:

  • Identification and authentication of users through unique identifiers and strong passwords.

  • Implementation of access management procedures to ensure the rapid revocation of access rights in the event of a user’s departure or change of responsibilities.

  • Continuous monitoring of authorized users’ activities to detect and prevent any misuse or unauthorized use of data.

Traceability measures

To ensure the traceability of operations carried out on personal data, SoWeSoft has implemented the following measures:

  • Logging of all operations carried out on personal data, including access, modifications, and deletions.

  • Retention of activity logs for a defined period in accordance with legal data retention requirements.

Software protection measures

To ensure the security of the personal data processed, SoWeSoft has implemented a set of measures designed to protect the software used for data processing. These measures include, in particular:

  • Security testing, including vulnerability testing and penetration testing, to assess the resilience of the software against potential attacks and to identify and correct any security vulnerabilities.

  • Continuous monitoring of the software environment to detect and respond quickly to any anomalies or suspicious activities that could compromise the security of personal data.

Data encryption

To ensure the confidentiality of personal data, SoWeSoft has implemented the following encryption measures:

  • Encryption of personal data in transit, particularly when transmitted over internal and external networks.

  • Encryption of personal data at rest, particularly when stored on physical or virtual storage devices.

Control of subcontractors

To ensure that subcontractors comply with personal data protection requirements, SoWeSoft has implemented the following measures:

  • Rigorous selection of subcontractors based on their ability to guarantee an adequate level of protection for personal data.

  • Signing of contracts including specific clauses relating to the protection of personal data in accordance with GDPR requirements.

  • Regular monitoring of subcontractors to verify their compliance with contractual and regulatory requirements relating to the protection of personal data.

Other measures

In addition to the measures mentioned above, SoWeSoft has also implemented the following measures to strengthen the security of personal data:

  • Employee awareness training on best practices for personal data protection.

  • Regular security audits to continuously assess and improve our data security posture.

9 - Your rights regarding your personal data

Any person concerned by the processing of his or her data may access it and obtain a copy, have it rectified, request that the processing be restricted and, under certain conditions, object to the processing of the data or have it deleted. 

  1. Exercising your rights (contact details of the Data Protection Officer) 

    To exercise these rights or if you have any questions about the processing of your data under this system, you can contact the administrator by e-mail: dpo@sowesoft.com
     
  2. Complaints to the AEPD

    If you believe, after contacting the Data Protection Officer, that your rights regarding your data are not being respected, you can file a complaint with the Spanish Data Protection Agency (AEPD) at: delegadoprotecciondatos@sanidad.gob.es, Paseo del Prado 18-20, 28014 Madrid.