Choose the country that interests you

    1. Introduction

    F.INICIATIVAS is a specialist within the domain of financing innovation and commits to comply with the
    Individual’s law protection.
    Applicable as from 25 May 2018 the General Data Protection Regulation (UE 2016/679) (“GDPR”) imposes
    specific obligations on legal entities that processing Personal data.
    Under this Regulation, F.INICIATIVAS has access to Personal data as part of its business. F.INICIATIVAS shall act as a Data processor. F.INICIATIVAS’ clients shall act as a Data controller.

    This Policy aims to inform F.INICIATIVAS’ clients about all practices related to entrusted Personal data in order to offer them the most suitable protection.

    This Policy can only be invoked by a Client. As a consequence, any third-party to the service contract
    binding F.INICIATIVAS and its Client cannot claim any disposition stated into this Policy.

    2. General information


    1. Appendix to the Policy: The Policy includes an appendix. It identifies and describes all entrusted
    Personal data under the Service provided according to the Contractual agreement. Theoretically, this
    Appendix is incorporated in the Contractual agreement and completed by the Client and F.INICIATIVAS
    at the date of signature. Otherwise, upon Client requests, this Appendix can be completed and signed
    at the mission kick-off provided in the Contractual agreement.

    2. Personal data: Any information relating to an identified or identifiable data subject. An ‘identifiable
    individual’ is one who can be identified, directly or indirectly, in particular by reference to an identifier
    (such as a name, an identification number, location data, online identifier) or to one or more factors
    specific to his physical, physiological, genetic, mental, economic, cultural or social (e.g. date of birth,
    biometrics data, DNA…).

    3. Contractual agreement: A quote, a service contract or any writing in any form describing the business
    relationship binding the Data controller and F.INICIATIVAS.

    4. Working day: Any day, other than a Saturday, Sunday or an official public holiday in France.

    5. Policy: This Policy describe what has been implemented by F.INICIATIVAS to protect Personal data.

    6. Service: Mission executed by F.INICIATIVAS under its Contractual agreement which requires the
    processing of Personal data.

    7. Data controller or the ‘Client’: Refers to the legal entity for which F.INICIATIVAS provides the Service.
    It determines the purposes and means of the Service.

    8. GDPR: The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the
    Council of 27 April 2016 that entered into force on May 25, 2018; as transposed in the French Law of
    2018,June 20th, 8 about Personal data protection.

    9. Data processor or ‘F.INICIATIVAS’: Refers to the service provider that processes Personal data on
    behalf of the Client.

    10. Processing: Refers to any operation or set of operations which is performed on Personal data whether
    or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or
    alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making
    available, alignment or combination, restriction, erasure or destruction.

    11. Security breach: Weaknesses in the Personal data protection system allowing a person to undermine
    the protection system’s integrity – it means to its function and confidentiality – or protected data’s
    integrity. A security breach does not automatically lead to a Personal Data Breach.

    12. Personal Data Breach: Unauthorized access to Personal data or security risks which causes by
    accidental or unlawful manner destruction, loss, alteration, unauthorized disclosure of transmitted
    Personal data stored or processed in any way.


    This Policy defines the conditions under which F.INICIATIVAS processes Personal data entrusted within the
    framework of the concerned Contractual agreement. This Policy applies to all data entrusted by the Data
    controller unless other written instructions given and accepted by F.INICIATIVAS.
    As part of a privacy impact assessment that must be conducted by the Data controller, F.INICIATIVAS undertakes to provide its assistance and provide all necessary information to the Data controller. For this purpose, Appendix 1 allows to identify and describe the type of Personal data that being processed.

    3. Information and Personal Data Processing


    Before data collection, the Data controller must notify its processing of Personal data to the data subject.
    In accordance with the purpose limitation principle of Personal data, F.INICIATIVAS shall only ask to the Data controller compatible and necessary data to achieve its Service. In addition, following the data minimization principle, F.INICIATIVAS certifies to request only necessary information from the Data controller and to use these informations to fulfil its Service.

    When the Contractual agreement expires, if the transmitted Personal data are not or no longer used,
    F.INICIATIVAS undertakes to apply the conditions provided in Article 8.


    If F. INICIATIVAS was not working with subcontractors when the Contractual agreement has been signed, F.
    INICIATIVAS hereby declares that it won’t work with any subcontractor without the Data controller’s prior

    Moreover, in case F.INICIATIVAS decides that subcontracting is necessary, it shall request written authorization of the Data controller. The latter may accept or not. If the Data controller accepts, F.INICIATIVAS undertakes to ensure that its subcontractors comply with this Policy.

    Outside the scope of the Services, no reproduction and/or no transfer of Personal data wil be made by
    F.INICIATIVAS without Data controller’s prior authorization.

    Following the written authorization requests described above, the Data controller commits to respond to
    F.INICIATIVAS within ten (10) working days. Otherwise, F.INICIATIVAS considers that the Data controller has
    accepted the request.

    If an individual would like to exercise one of its individual rights (such as the right of access, right to
    rectification, right to erasure, etc.). F.INICIATIVAS, after verifying the data subject’s identity, shall forward
    the request to the Data controller. Within seven (7) working days, the Data controller have to send the
    necessary instructions to F.INICIATIVAS in order to process the request. If there is no reply within the above
    deadlines, F.INICIATIVAS will consider that it is free to implement the necessary actions to process the request.
    In order to do so, F.INICIATIVAS shall take the most appropriate measures.


    For any questions regarding Personal data processing, the Data controller and F.INICIATIVAS may turn to the
    key contacts mentioned in Appendix 1.
    As part of the execution of the Service, upon the Policy signature, F.INICIATIVAS and the Data controller must determine a list of key contacts to which Personal data may be transferred.
    In a case of modification of the key contacts,the Data processor and the Data controller must inform each other by any written means. The receiving party shall acknowledge receipt of the information.


    The Data processor shall ensure a secure Processing and shall commit to:
    • Outside official working hours, secure access to its offices through personal badges and alarm system;
    • Always lock IT materials holding Personal data when it is not used.
    • Supervise control of the management of access data’s rights. As a consequence, every employee shall
    have access only to needed data as part of their mission.
    • Repeatedly change passwords for all of those who has access to Personal data in the framework of the
    Service. This change must take place within a consistent period of time with the criticality threshold
    related to Personal data types.
    • Store Personal data provided on a physical support (such as but not limited to paper, USB key, etc.)
    within secured access area.

    As an exception, the Data processor is free to implement as it pleases other security measures if they are at
    least equal to the measures referred to this section.

    The Data processor shall comply and enforce confidentiality of its employees’ Personal data.
    In addition, the Data processor shall train its employees on Personal data in order to raise awareness on that matter.

    4. Information and instructions in case of Personal data breach


    After being aware of a Personal data breach, F.INICIATIVAS commits to do its very best to alert the Data
    controller within 48 hours. The Data processor shall inform the Data controller of implemented corrective

    If any risks that could affect the security of Personal data are identified, the Data processor shall apply
    immediate corrective measures to achieve an efficient level of protection than originally planned.

    5. Consequences of the Service’s expiration


    This Policy shall apply and remain valid during the Contractual Agreement.

    No matter why the Contractual agreement has expired, upon Data controller’s request and subject to Data
    processor’s legal obligations, the Data processor must within one (1) month following the expiration to destroy Personal data. After the expiry of the statutory period, the Personal data will be destroyed.
    Upon the expiry of the last data backup, this destruction will be irrevocable.

    According to the conditions provided above, F.INICIATIVAS shall destroy all Personal data that shall not be

    Even after the expiry of the Contractual agreement, the obligations intended to last shall continue to produce their effects.

    6. Governing Law and Jurisdiction


    This Policy is subject to the law and jurisdiction as provided in the Contractual Agreement.
    On December 2, 2019
    Vincent VILPELLET,

    Vous avez besoin d’aide

    JANE 24/02/2020, 07:20


    Help Fermer