F.INICIATIVAS is a specialist within the domain of financing innovation and commits to comply with the
Individual’s law protection.
Applicable as from 25 May 2018 the General Data Protection Regulation (UE 2016/679) (“GDPR”) imposes
specific obligations on legal entities that processing Personal data.
Under this Regulation, F.INICIATIVAS has access to Personal data as part of its business. F.INICIATIVAS shall act as a Data processor. F.INICIATIVAS’ clients shall act as a Data controller.
This Policy aims to inform F.INICIATIVAS’ clients about all practices related to entrusted Personal data in order to offer them the most suitable protection.
This Policy can only be invoked by a Client. As a consequence, any third-party to the service contract
binding F.INICIATIVAS and its Client cannot claim any disposition stated into this Policy.
2. General information
ARTICLE 1 – DEFINITIONS
1. Appendix to the Policy: The Policy includes an appendix. It identifies and describes all entrusted
Personal data under the Service provided according to the Contractual agreement. Theoretically, this
Appendix is incorporated in the Contractual agreement and completed by the Client and F.INICIATIVAS
at the date of signature. Otherwise, upon Client requests, this Appendix can be completed and signed
at the mission kick-off provided in the Contractual agreement.
2. Personal data: Any information relating to an identified or identifiable data subject. An ‘identifiable
individual’ is one who can be identified, directly or indirectly, in particular by reference to an identifier
(such as a name, an identification number, location data, online identifier) or to one or more factors
specific to his physical, physiological, genetic, mental, economic, cultural or social (e.g. date of birth,
biometrics data, DNA…).
3. Contractual agreement: A quote, a service contract or any writing in any form describing the business
relationship binding the Data controller and F.INICIATIVAS.
4. Working day: Any day, other than a Saturday, Sunday or an official public holiday in France.
5. Policy: This Policy describe what has been implemented by F.INICIATIVAS to protect Personal data.
6. Service: Mission executed by F.INICIATIVAS under its Contractual agreement which requires the
processing of Personal data.
7. Data controller or the ‘Client’: Refers to the legal entity for which F.INICIATIVAS provides the Service.
It determines the purposes and means of the Service.
8. GDPR: The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 that entered into force on May 25, 2018; as transposed in the French Law of
2018,June 20th, 8 about Personal data protection.
9. Data processor or ‘F.INICIATIVAS’: Refers to the service provider that processes Personal data on
behalf of the Client.
10. Processing: Refers to any operation or set of operations which is performed on Personal data whether
or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure or destruction.
11. Security breach: Weaknesses in the Personal data protection system allowing a person to undermine
the protection system’s integrity – it means to its function and confidentiality – or protected data’s
integrity. A security breach does not automatically lead to a Personal Data Breach.
12. Personal Data Breach: Unauthorized access to Personal data or security risks which causes by
accidental or unlawful manner destruction, loss, alteration, unauthorized disclosure of transmitted
Personal data stored or processed in any way.
ARTICLE 2 – PURPOSE OF THIS POLICY
This Policy defines the conditions under which F.INICIATIVAS processes Personal data entrusted within the
framework of the concerned Contractual agreement. This Policy applies to all data entrusted by the Data
controller unless other written instructions given and accepted by F.INICIATIVAS.
As part of a privacy impact assessment that must be conducted by the Data controller, F.INICIATIVAS undertakes to provide its assistance and provide all necessary information to the Data controller. For this purpose, Appendix 1 allows to identify and describe the type of Personal data that being processed.
3. Information and Personal Data Processing
ARTICLE 3 – COLLECTION, TRANSMISSION AND USE OF DATA
Before data collection, the Data controller must notify its processing of Personal data to the data subject.
In accordance with the purpose limitation principle of Personal data, F.INICIATIVAS shall only ask to the Data controller compatible and necessary data to achieve its Service. In addition, following the data minimization principle, F.INICIATIVAS certifies to request only necessary information from the Data controller and to use these informations to fulfil its Service.
When the Contractual agreement expires, if the transmitted Personal data are not or no longer used,
F.INICIATIVAS undertakes to apply the conditions provided in Article 8.
ARTICLE 4 – REQUIRED APPROVALS
If F. INICIATIVAS was not working with subcontractors when the Contractual agreement has been signed, F.
INICIATIVAS hereby declares that it won’t work with any subcontractor without the Data controller’s prior
Moreover, in case F.INICIATIVAS decides that subcontracting is necessary, it shall request written authorization of the Data controller. The latter may accept or not. If the Data controller accepts, F.INICIATIVAS undertakes to ensure that its subcontractors comply with this Policy.
Outside the scope of the Services, no reproduction and/or no transfer of Personal data wil be made by
F.INICIATIVAS without Data controller’s prior authorization.
Following the written authorization requests described above, the Data controller commits to respond to
F.INICIATIVAS within ten (10) working days. Otherwise, F.INICIATIVAS considers that the Data controller has
accepted the request.
If an individual would like to exercise one of its individual rights (such as the right of access, right to
rectification, right to erasure, etc.). F.INICIATIVAS, after verifying the data subject’s identity, shall forward
the request to the Data controller. Within seven (7) working days, the Data controller have to send the
necessary instructions to F.INICIATIVAS in order to process the request. If there is no reply within the above
deadlines, F.INICIATIVAS will consider that it is free to implement the necessary actions to process the request.
In order to do so, F.INICIATIVAS shall take the most appropriate measures.
ARTICLE 5 – EXCHANGE SECURITY
For any questions regarding Personal data processing, the Data controller and F.INICIATIVAS may turn to the
key contacts mentioned in Appendix 1.
As part of the execution of the Service, upon the Policy signature, F.INICIATIVAS and the Data controller must determine a list of key contacts to which Personal data may be transferred.
In a case of modification of the key contacts,the Data processor and the Data controller must inform each other by any written means. The receiving party shall acknowledge receipt of the information.
ARTICLE 6 – SECURITY MEASURES CHARGED TO F. INICIATIVAS
The Data processor shall ensure a secure Processing and shall commit to:
• Outside official working hours, secure access to its offices through personal badges and alarm system;
• Always lock IT materials holding Personal data when it is not used.
• Supervise control of the management of access data’s rights. As a consequence, every employee shall
have access only to needed data as part of their mission.
• Repeatedly change passwords for all of those who has access to Personal data in the framework of the
Service. This change must take place within a consistent period of time with the criticality threshold
related to Personal data types.
• Store Personal data provided on a physical support (such as but not limited to paper, USB key, etc.)
within secured access area.
As an exception, the Data processor is free to implement as it pleases other security measures if they are at
least equal to the measures referred to this section.
The Data processor shall comply and enforce confidentiality of its employees’ Personal data.
In addition, the Data processor shall train its employees on Personal data in order to raise awareness on that matter.
4. Information and instructions in case of Personal data breach
ARTICLE 7 – PERSONAL DATA BREACH
After being aware of a Personal data breach, F.INICIATIVAS commits to do its very best to alert the Data
controller within 48 hours. The Data processor shall inform the Data controller of implemented corrective
If any risks that could affect the security of Personal data are identified, the Data processor shall apply
immediate corrective measures to achieve an efficient level of protection than originally planned.
5. Consequences of the Service’s expiration
ARTICLE 8 – CONSEQUENCES OF THE SERVICE’S EXPIRATION
This Policy shall apply and remain valid during the Contractual Agreement.
No matter why the Contractual agreement has expired, upon Data controller’s request and subject to Data
processor’s legal obligations, the Data processor must within one (1) month following the expiration to destroy Personal data. After the expiry of the statutory period, the Personal data will be destroyed.
Upon the expiry of the last data backup, this destruction will be irrevocable.
According to the conditions provided above, F.INICIATIVAS shall destroy all Personal data that shall not be
Even after the expiry of the Contractual agreement, the obligations intended to last shall continue to produce their effects.
6. Governing Law and Jurisdiction
ARTICLE 9 – APPLICABLE LAW AND JURISDICTION
This Policy is subject to the law and jurisdiction as provided in the Contractual Agreement.
On December 2, 2019