Personal data policy

Version in force on 19/04/2024.

1- Purpose

GATTEFOSSE SAS (hereinafter referred to as "Gattefossé") designs, develops, manufactures and markets ingredients for the pharmaceutical and cosmetics industries.

The purpose of this personal data protection policy (the "Policy") is to inform users (the "Users") of the www.gattefosse.com website (the "Site") of the conditions under which their Personal Data is collected and processed in connection with the use of the Site and to describe the conditions for compliance with the rules for the protection of their Personal Data.

This Policy has been drawn up so as to ensure that Gattefossé carries out its activities in accordance with national, european and international legislation relating to the protection of Personal Data and, in particular, Regulation (EU) No. 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data (the "GDPR") and French Law No. 78-17 of 6 January 1978, as amended, relating to information technology, files and freedoms (the "LIL") (together the "Applicable Regulations").

In the Policy, words or expressions beginning with a capital letter, whether used in the singular or plural, have the definition given by the Applicable Regulations included in the glossary at the end of the Policy. 

2- Personal Data protection principles

The Policy is based on compliance with the principles described below, laid down by the Applicable Regulations. As the Controller for the processing operations it implements, in particular in connection with the management of the Site, Gattefossé is responsible for compliance with these principles and must be able to demonstrate compliance with them at all times. The implementation of and compliance with these principles are essential and must be regularly monitored by the persons responsible for issues relating to the Processing of Personal Data within Gattefossé.

 

2.1- Lawfullness, fairness and transparency

Personal Data must be processed lawfully, fairly and transparently with regard to the Data Subject.

 

2.2- Purpose limitation

Personal Data must be processed for specified, explicit and legitimate purposes and not be further processed in a way incompatible with those purposes.

 

2-3. Data minimisation

Personal Data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed.

 

2.4- Accuracy

Personal Data must be accurate and, where necessary, kept up to date; all reasonable measures must be taken to ensure that Personal Data which is inaccurate, having regard to the purposes for which it is processed, is deleted or rectified without delay.

 

2.5- Storage limitation

Personal Data must be kept in a form that allows the Data Subjects to be identified for no longer than is necessary for the purposes for which it is processed. They may be kept for longer periods insofar as they are processed exclusively for statistical purposes, provided that appropriate technical and organizational measures are implemented to guarantee the rights and freedoms of the Data Subject.

 

2.6- Integrity and confidentiality

Personal Data must be processed in such a way as to guarantee appropriate security, including protection against unauthorized or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

 

3- Processing of Personal Data by Gattefossé

3.1- Data collected in the framework of use of the Site

The Personal Data collected and processed by Gattefossé as Controller are those likely to be collected as part of the User's use of the Site.

By accessing the Site, the User acknowledges having read and accepted the terms of the Policy without reservation.

The Personal Data of Users that may be processed by Gattefossé is User identification data, namely:

  • Civil status (surname, first name);
  • Personal details (postal address, e-mail address, telephone number);
  • Any other Personal Data transmitted by a User.

Gattefossé also collects and processes the following Personal Data:

  • The User's connection data, such as IP address, operating system used or browser type;
  • The data contained in a log file (date and time of connection, actions taken).

 

3.2- Purposes of processing

Gattefossé is responsible for processing Users' Personal Data in connection with the use and management of the Website.

Gattefossé collects Users' Personal Data for the following purposes:

  • Contacting Users: prospects, suppliers, customers and/or other business partners,
  • Carrying out statistics in order to improve the functionalities and performance of the Site and to find out how Users use the Site:
    • Facilitating navigation on the Site;
    • Sharing videos, animated and interactive content;
    • Statistics (e.g. analysis of traffic on the Site);
    • Analyses to develop and improve navigation on the Site and/or the content of the Site.
  • Registration on the reserved part of the Site for information and/or commercial prospecting,
  • Request for samples of Gattefossé ingredients,
  • Subscribe to Addiactive magazine,
  • Sending out a newsletter,
  • Application to an offer published on the Site or spontaneously,
  • Request for press information,
  • Registration and participation in one or more Webinars chosen by Users on the Site.
  • Registration and participation in on  events (galenic days, seminars, customer visits, training, etc.)

Users' Personal Data is strictly confidential and is processed by Gattefossé solely for the purposes described above.

Gattefossé expressly undertakes not to further process Personal Data for purposes incompatible with the aforementioned purposes.

Furthermore, Gattefossé undertakes not to disclose, assign, rent or transmit Users' Personal Data to third parties other than its Affiliates and the Site Data host. 

 

3.3- Legal basis for Data Processing

Gattefossé acts as a Controller within the meaning of the Applicable Regulations when it processes Users' Personal Data for the purposes mentioned above. The legal basis for this processing is :

  • Consent, when given by the User in a free, specific, informed and unambiguous manner to Gattefossé by sending an unsolicited email;
  • Legitimate interests, where the processing of Data is necessary to satisfy the interests of Gattefossé in the context of the services offered by Gattefossé.

 

3.4- Storage time

In accordance with the requirements of the Applicable Regulations, Users' Personal Data collected on the Site will be kept by Gattefossé only for as long as is strictly necessary for the purposes for which they were processed, i.e. :

  • For contact with Users: period required to process the question or request + two (2) years from the last contact of the User with Gattefossé.
  • For statistical purposes in order to improve the functionalities and performance of the Site and to find out how the User uses the Site via cookies: retention period mentioned in the banner linked to cookies in accordance with article 6.
  • For registration on the reserved part of the Site for information and/or commercial prospecting: duration of registration on the Site until withdrawal of consent.
  • For sample requests: period required to process the sample request + two (2) years from the User's last contact with Gattefossé.
  • For subscriptions to Addiactive magazine: duration of subscription to the magazine until withdrawal of consent.
  • For the sending of a newsletter: duration of registration for the newsletter until withdrawal of consent.
  • For applications to an offer published on the Site or unsolicited applications: for the entire duration of the recruitment and in the event of a negative outcome or unsolicited application for two (2) years from the last contact with Gattefossé.
  • To obtain press information: period required to process the request for information + two (2) years from the User's last contact with Gattefossé.
  • To register and take part in Webinars: duration from registration to the day of participation in the Webinar + 30 working days after the day of participation in the Webinar.
  • For registration and participation in on-site events: duration of the event and up to five years after its end.

 

4- Transfer of Personal Data

The Applicable Regulations strictly and precisely govern international transfers of Personal Data.

In principle, Gattefossé prohibits any transfer without the prior consent of the User and appropriate guarantees to ensure that Users' Personal Data is properly protected when transferred to a location outside the European Union.

However, Gattefossé informs the User that his/her Personal Data may be transmitted to certain technical service providers of Gattefossé, such as the service provider carrying out the maintenance of the Site.

Where necessary, Personal Data collected on the Site may be communicated to Gattefossé affiliates located throughout the world. The latter shall comply with Applicable Regulations where applicable and shall respect the processing purposes defined for the said Personal Data collected in this context.

In the event that the Personal Data is transferred to a state that is not a member of the European Union and has not been the subject of an adequacy decision, Gattefossé will take all necessary measures to ensure that the Personal Data is protected with an appropriate level of confidentiality and security in accordance with the Applicable Regulations.

Gattefossé may be required to transmit Personal Data to the competent administrative or judicial government authorities, at their request.

 

5- Confidentiality and security

Gattefossé undertakes to set up all necessary technical and organizational measures in accordance with Applicable Regulations in order to preserve the confidentiality and security of Users' Personal Data so as to ensure the protection of the Personal Data against destruction, loss, alteration, disclosure to unauthorized third parties, to ensure the restoration of the availability of Personal Data and access thereto within an appropriate timeframe in the event of a physical or technical incident.

However, the User must be aware that despite all the security measures implemented, no transmission of Data over the Internet is 100% secure and that all information communicated online can potentially be intercepted and used by persons other than the intended recipient.

In the event of recourse to a subcontractor such as a service provider for the maintenance of the Site, Gattefossé ensures that the latter complies with its obligations in terms of security prior to any communication of Data.

 

6- Cookies

When browsing the Site, cookies may be placed and stored on the User's terminal (computer, tablet, smartphone, etc.). A cookie is a small file deposited and stored on the User's terminal and associated with a web domain. This file is automatically returned on subsequent contacts with the same domain.

Cookies have many uses: they can be used to remember the User's identifier on the reserved part of the Site, to remember the language in which the web page is displayed, to remember the identifier used to track the User's browsing for statistical or advertising purposes, etc. Some of these uses are strictly necessary for the functions expressly requested by the User and are therefore exempt from consent. Some of these uses are strictly necessary for the functionalities expressly requested by the User and are therefore exempt from consent. Others, which do not correspond to these criteria, require the User's consent before reading or writing.

The User is informed of the use of cookies by a banner that appears when connecting to the Site. The User may choose to authorize or prohibit all or some of the cookies by clicking on the "Personalize" button on the banner.

The deactivation of certain necessary cookies may affect the operation of the Site. The User is informed of this when customizing cookies. In the event that the User decides to refuse the storage of a cookie necessary for the optimal operation of the Site, Gattefossé may not under any circumstances be held liable for the consequences of the altered or degraded operation of the Site.

Cookies may be placed by partners (such as Google Analytics) of Gattefossé. These partners may also use the information contained in cookies.

The User has the right to withdraw his/her consent and/or his/her choice of personalization of cookies at any time. The choices expressed by the User, whether consent or refusal, will be recorded and kept for a period of 6 months.

 

7- User rights

In accordance with the Applicable Regulations, Users have the following rights with regard to their Personal Data:

  • Right to information under this Policy ;
  • Right of access to his/her Personal Data and to information relating to the Processing (purposes, category of Personal Data concerned, recipients, retention period, etc.);
  • Right to rectify Personal Data in the event of incorrect or incomplete information.
  • The right to erasure (the right to be forgotten) of Personal Data that is no longer necessary for the purposes for which it was collected or for which the User has exercised his/her right to object to Processing;
  • Right to withdraw consent for Personal Data, which allows the User to withdraw consent at any time by informing Gattefossé by e-mail;
  • Right to object to the Processing of his/her Personal Data for his/her own legitimate reasons or without any reason in the case of the Processing of his/her Data for the purposes of commercial prospection.
  • The right to Personal Data portability, i.e. the right to receive Personal Data that is the subject of Processing in a usable format and/or to request that it be transmitted to another Controller.
  • The right to limit the Processing of Personal Data, when (i) the User disputes the accuracy of the Personal Data or (ii) when the Data storage period has expired but the User needs to retain the Personal Data in order to establish, exercise or defend a legal claim or (iii) when the User objects to one of the Processing of his/her Personal Data;

Unless the request appears excessive or requires disproportionate efforts, Gattefossé, as the Controller, is obliged to respond to Users' requests to exercise their rights as soon as possible and no later than one (1) month after receipt of the request. These rights may be exercised at any time by the User by sending an email to: dataprotection@gattefosse.com, subject to providing proof of identity.

In the event of an unsatisfactory response from Gattefossé in exercising the rights mentioned below, the User may lodge a complaint with his/her local competent authority.

 

8- Changes

This Personal Data Protection Policy may be updated at any time by Gattefossé without any formality other than the posting of a new amended version online, the latter taking precedence over any previous version.

 

9- Contact

If you have any questions about personal data, Gattefossé can be contacted by e-mail at the following address: dataprotection@gattefosse.com.

 

10- Glossary

  • Consent: any free, specific, informed and unambiguous expression of will by which the data subject accepts, by a declaration or by a clear positive act, that personal data concerning him or her may be processed.
  • Recipient: means the natural or legal person, public authority, agency or any other body to whom personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the context of a particular enquiry in accordance with Union law or the law of a Member State shall not be regarded as recipients; the processing of such data by the public authorities in question shall comply with the applicable data protection rules in accordance with the purposes of the processing.
  • Personal Data: any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier, an identification number, location data, an online identifier or to one or more elements specific to that person. Examples include surnames, first names, email addresses, telephone numbers, user names, IP addresses, cookies, etc.
  • Data Subject: the natural person to whom the Personal Data relates.
  • Controller: the natural or legal person who decides on the purposes and means of processing personal data.
  • Processing of Personal Data or Processing: any operation or set of operations which may or may not be performed using automated processes and which are applied to data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Data transfer: any transfer of personal data to a third country, i.e. one outside the European Union, or to an international organisation, requiring the implementation of special conditions in order to guarantee the security of the Data transmitted.