General Data Protection Regulation
Thésée DataCenter
32 rue du Clos de la Reine
78410 Aubergenville
A French Data Player
thésée datacenter
PERSONAL DATA PROTECTION POLICY OF THESEE DATACENTER
Version April-16-2024
Respect for privacy and the protection of personal data is a key factor in trust and a value that Thésée Datacenter is particularly committed to, respecting fundamental freedoms and rights. This personal data protection policy (hereinafter referred to as the « Data Protection Policy » or « Policy ») aims to inform you about the processing that Thésée Datacenter may perform on your personal data and the conditions under which such processing is carried out.
It is regularly updated to take into account legislative and regulatory changes, as well as any changes in the organization of Thésée Datacenter or its service offerings. It may be supplemented by additional information that may be brought to your attention, particularly when data concerning you is collected or regarding the use of Thésée Datacenter services, through your employer as provided in the contractual stipulations, terms of use, or other applicable specific conditions.
When terms used in this Data Protection Policy are defined by Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the « GDPR »), they have the meaning given to them by the GDPR.
- DESCRIPTION OF PERSONAL DATA PROCESSING
Thésée Datacenter may collect and process personal data concerning you in the following cases:
- You are in contact with Thésée Datacenter to be informed about its services and activities;
- You participate in an event organized by Thésée Datacenter or in which Thésée Datacenter participates;
- You are a job candidate at Thésée Datacenter;
- You visit the Thésée Datacenter website;
- You are a service provider, supplier, or partner of Thésée Datacenter (or a director or employee of a service provider, supplier, or partner of Thésée Datacenter);
- You are a director or employee of a Thésée Datacenter client and interact with Thésée Datacenter teams and/or use Thésée Datacenter services.
The conditions under which Thésée Datacenter collects and processes your personal data in these various scenarios are described below.
The retention periods mentioned are without prejudice to the possibility for Thésée Datacenter to retain your data based on legitimate interest to assert its rights in the event of a security incident, claim, dispute, pre-litigation, or litigation, within the applicable limitation periods, and, in case of proceedings, until a final decision (i.e., no longer subject to appeal) is rendered. In such cases, the data may also be transmitted to authorities, Thésée Datacenter’s legal advisors, and any interested party based on pursuing a legitimate interest.
When you act on behalf of an entity, your data may also be made available to that entity under the contract it has concluded with Thésée Datacenter or in pursuit of a legitimate interest. In such cases, the entity defines the purposes and means of processing your data. You can exercise your rights directly with it.
A: Management of Marketing and Commercial Activities
Thésée Datacenter may collect and process data about you to communicate information about its activities and services (commercial offers, newsletters, etc.).
This is particularly the case when you contact Thésée Datacenter to receive information about its activities or services via an online contact form, by subscribing to a Thésée Datacenter newsletter, or by contacting Thésée Datacenter or one of its employees directly by phone, email, or social media.
Thésée Datacenter may also contact you if, due to your professional activities, you may be interested in learning about Thésée Datacenter’s activities and using its services. In such cases, Thésée Datacenter allows you to exercise your right to object.
Depending on the case, your data is collected and processed based on your consent or Thésée Datacenter’s legitimate interests (Articles 6.1 a) and f) of the GDPR).
In this context, Thésée Datacenter may process the following data about you:
- Your first and last names;
- Your contact details (addresses, phone numbers, emails, social media accounts);
- Your professional information (your roles, where applicable, the entities for which you work, the services that might interest you or your employer);
- Your interactions with Thésée Datacenter.
Summary of Processing Conditions
Purposes of processing | Categories of personal data processed | Retention period | Categories of recipients | Legal basis for processing |
Commercial prospecting and communication of information related to Thésée DataCenter’s activities and services |
Identification data
Professional data
Interactions |
Until consent is withdrawn or the right to object is exercised, and at the latest 36 months after your last interaction with Thésée DataCenter. |
Thésée DataCenter roviders in charge of managing communication operations Entity on whose behalf you are acting Thésée DataCenter’s partners |
Consent or legitimate interest as applicable (Articles 6.1 a) and f) of the GDPR) |
B: Event Management
When you register and participate in an event organized by Thésée Datacenter or in which Thésée Datacenter participates, Thésée Datacenter collects and processes data about you, particularly:
- Your first and last names;
- Your contact details (email addresses, phone numbers, social media accounts);
- Your professional information (roles, and, where applicable, the entities for which you work);
- Data related to your participation in the event (conferences and workshops you are registered for and participate in).
This data is collected to organize and manage your participation in the event (registrations, information, itinerary) and subsequently to provide feedback on the event (statistics, attendance, highlights, etc.). They are processed by Thésée Datacenter and, where applicable, Thésée Datacenter’s partners in charge of organizing the event, and retained for the duration of the event and 90 days afterward.
They may also be retained to subsequently communicate information about similar upcoming events or information about Thésée Datacenter’s activities and services as described in section A « Management of Marketing and Commercial Activities » above.
Summary of Processing Conditions
Purposes of processing | Categories of personal data processed | Retention period | Categories of recipients | Legal basis for processing |
Organization and management of event participation | Identification data (name, first name, contact details, professional information) Data related to event participation |
Duration of the event + 90 days
|
Thésée DataCenter teams Thésée DataCenter’s partners in charge of organizing events |
Performance of contracts (Article 6.1 b) of the GDPR) |
C: Management of Job Applications
If you submit a job application to Thésée Datacenter (whether by postal mail, email, on the Thésée Datacenter website, or on social media), Thésée Datacenter processes data about you to manage your application.
This data includes the information provided in your application, particularly:
- Your first and last names;
- Your contact details (email addresses, phone numbers, social media accounts);
- The education and degrees you have obtained;
- Your past experiences (roles, employers, tasks, employment periods);
- Your interests;
- The documents submitted with your application (cover letter, CV, letters of recommendation, work samples);
- Your salary expectations;
- The dates and results of any interviews with Thésée Datacenter teams;
- The outcome of your application (acceptance, rejection, type of contract offered).
This data is retained by Thésée Datacenter by default for 12 months following the end of the application process. They may be retained and processed beyond this period with your consent or for managing potential claims or disputes.
Conditions for processing data of Thésée Datacenter employees are subject to separate terms.
Summary of Processing Conditions
Purposes of processing | Categories of personal data processed | Retention period | Categories of recipients | Legal basis for processing |
Management of job applications | Data provided as part of the application |
Duration of the application management process + 12 months
|
Thésée DataCenter teams Thésée DataCenter’s partners in charge of recruitment (such as consulting or recruitment firms) |
Execution of pre-contractual measures (Article 6.1 b) of the GDPR) |
D: Management of Customer and Supplier Relationships
If you are a service provider, supplier, or partner of Thésée Datacenter, or wish to become one, or if you are a representative or employee of a Thésée Datacenter customer or prospect or an entity that is or wishes to become a service provider, supplier, or partner of Thésée Datacenter, Thésée Datacenter collects and processes data about you, particularly:
- Your first and last names;
- Your professional contact details (email addresses and phone numbers);
- Your roles;
- Where applicable, the identity of the entity on whose behalf you are acting;
- Your interactions with Thésée Datacenter.
This data is collected and processed to manage the pre-contractual and contractual relationships established between you (or the entity you represent) and Thésée Datacenter.
Summary of Processing Conditions
Purposes of processing | Categories of personal data processed | Retention period | Categories of recipients | Legal basis for processing |
Contractual and pre-contractual management |
Identification data Service orders |
Duration of the relationship |
Thésée DataCenter Entity on whose behalf you are acting Providers in charge of managing tools (CRM, ERP) |
Conclusion and execution of the contract Legitimate interest (Articles 6.1 b) and f) of the GDPR) |
Interactions | 5 years |
E: Management of Services Provided by Thésée Datacenter
If you use Thésée Datacenter’s services on behalf of your company or employer, Thésée Datacenter may collect and process data about you to provide and ensure the security of said services.
This is particularly the case when you use the IT tools provided to your company or employer by Thésée Datacenter.
In this context, Thésée Datacenter collects and processes the following data:
- Your first and last names;
- Your professional contact details (email addresses and phone numbers);
- Your roles;
- Where applicable, the identity of the entity on whose behalf you are acting;
- Your interactions with Thésée Datacenter, particularly with the support and customer relations teams;
- Your login credentials and connection histories to the tools provided by Thésée Datacenter.
Summary of Processing Conditions
Purposes of processing | Categories of personal data processed | Retention period | Categories of recipients | Legal basis for processing |
Support and assistance in the use of services |
Identification data Interactions |
5 years |
Thésée DataCenter Entity on whose behalf you are acting Providers in charge of managing the tools provided
|
Execution of the contract
|
Management and securing of tools provided by Thésée DataCenter |
ID data Connection and usage logs |
12 months |
Compliance with legal obligations
ILegitimate interest (Articles 6.1 c) and f) of the GDPR) |
F: Information for Visitors to Thésée DataCenter Sites and Data Centers
Access Conditions to Thésée DataCenter Sites
Access to Thésée DataCenter sites and data centers is subject to the conditions communicated by Thésée DataCenter during the visit, as well as the requirement to present a valid identification document (ID card or passport). Without this, access will be denied.
Access to different areas of Thésée DataCenter sites and data centers requires the use of a badge provided to the visitor upon arrival in exchange for their identification document. This badge must be returned by the visitor upon leaving the site (including in case of temporary or non-final exit).
Visitors are strictly prohibited from accessing or attempting to access areas of the sites and data centers for which they do not have access rights.
Processing of Personal Data of Visitors
Personal data concerning visitors to Thésée DataCenter sites and data centers (name, first name, professional contact details, affiliated entity, history of their access to different areas of Thésée DataCenter sites and data centers, CCTV footage) are collected and retained in accordance with current regulations.
They are processed by Thésée DataCenter to secure its sites and data centers, as well as by Thésée DataCenter’s client entities and partners to secure the hosting spaces provided to them in Thésée DataCenter data centers. In this context, they are used to authorize and restrict access, ensure compliance with access conditions (particularly to ensure that visitors do not attempt to access unauthorized areas), verify that access is justified, and, if necessary, determine the causes and circumstances of an incident.
These data are made available to the security agents in charge of Thésée DataCenter sites and data centers, and are accessible to the providers managing the access control systems. In case of an incident, they may also be communicated to the authorities, particularly as part of investigations or prosecutions, as well as to any legitimately interested party.
G: Management of Rights Requests
If you submit a request to Thésée Datacenter to exercise your rights (access, deletion, rectification, objection, portability) regarding personal data about you in its possession, Thésée Datacenter collects and processes data about you to manage your rights request, particularly:
- Your first and last names;
- Your contact details (email addresses and phone numbers);
- The content of your rights request;
- If necessary, proof of identity.
This data is retained for 5 years, including 4 years in archival form; identity proofs are retained only in archival form for 1 year.
Regarding the conditions for exercising the aforementioned rights, see Section 3. « How to Exercise Your Rights? » below.
Summary of Processing Conditions
Purposes of processing | Categories of personal data processed | Retention period | Categories of recipients | Legal basis for processing |
Management of requests addressed to the Data Protection Officer | Identification data and content of requests submitted via online forms | Request processing time + 5 years |
Thésée DataCenter
Administrative and judicial authorities |
Compliance with legal obligations
(Article 6.1 c) du GDPR) |
Proof of identity | Request processing time + 1 year |
- CONDITIONS FOR PROCESSING PERSONAL DATA
Thésée Datacenter has established an organization to ensure compliance of personal data processing with applicable laws and regulations, particularly Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (the « GDPR »), Law No. 78-17 of January 6, 1978, on information technology, files, and liberties, as amended by Ordinance No. 2019-964 of September 18, 2019, in France, as well as CNIL’s benchmarks and recommendations.
This organization is based on:
- A commitment to systematically consider the right to privacy and applicable regulatory requirements and best practices;
- The implementation of recognized standards and benchmarks;
- The application of principles to ensure the sovereignty of its services.
A: Implementation of Principles for Personal Data Protection
The management of Thésée Datacenter is committed to systematically considering the right to privacy and applicable legal requirements in managing its activities and services provided to its clients.
When acting as a data controller, Thésée Datacenter ensures:
- To inform individuals and enable them to exercise the rights conferred on them by data protection regulations;
- To collect only the personal data necessary for the intended processing purposes, particularly those outlined in this policy;
- To implement processes to ensure the accuracy and updating of the data used and their deletion when no longer needed;
- To process personal data only for the initially intended or compatible purposes unless consent is obtained or individuals are informed of other legal bases for processing;
- To implement technical and organizational measures to protect personal data from destruction, loss, alteration, unauthorized disclosure, or access, whether accidental or unlawful;
- To have effective processes for managing data incidents and breaches;
- To document the processing activities and conduct required impact assessments.
To ensure these commitments are met, Thésée Datacenter has appointed a « Data Protection Officer » (DPO) since 2021, whose role is externalized to a recognized expert provider.
The DPO ensures trust, serving as a specialized contact for data protection, overseeing the proper application of data protection rules, and being the preferred contact for the CNIL and any individual concerned by personal data collection or processing. The DPO handles the missions outlined in Article 39 of the GDPR.
Thésée Datacenter ensures the DPO is appropriately and timely involved in all matters relating to personal data protection linked to its activities. For this purpose, the DPO is involved in the various processes planned within Thésée Datacenter’s ISMS.
B: Technical and Organizational Measures in Line with Recognized Standards
ISO/IEC 27001:2013 Certification
Thésée Datacenter has implemented an Information Security Management System (ISMS) compliant with the ISO/IEC 27001:2013 standard. The ISMS compliance was initially audited and certified in 2023 by an independent auditor for all high-availability physical, energy, and network connectivity infrastructure hosting services provided by Thésée Datacenter to its clients.
This compliance is reassessed and audited annually both internally and by an independent external auditor.
HDS Certification
Thésée Datacenter has implemented the Health Data Hosting (HDS) certification framework « Requirements and Controls » (Final Version 1.1 – May 2018) developed by the French Digital Health Agency. Compliance with this framework for its physical infrastructure hosting services was audited and certified in 2023 by an independent accredited auditor.
This certification allows Thésée Datacenter clients to host information systems used for processing health data in Thésée Datacenter’s data centers.
CISPE Code of Conduct
Additionally, Thésée Datacenter adheres to the CISPE (Cloud Infrastructure Services Providers in Europe) Code of Conduct for Cloud Infrastructure Service Providers (version of February 9, 2021), approved by the CNIL on June 3, 2021 (Deliberation 2021-065 of June 3, 2021).
C: Subcontracting
Thésée Datacenter uses third-party providers who may process personal data as subprocessors under Thésée Datacenter’s instructions (see the categories of recipients listed in the « Description of Personal Data Processing » section above). Thésée Datacenter ensures these subprocessors comply with applicable regulations, implement technical and organizational measures to secure personal data processing, and formalize contracts with each subprocessor in accordance with Articles 28 and 32 of the GDPR.
When subprocessors are involved in delivering Thésée Datacenter’s services, it is done with the clients’ agreement, who are informed of the subcontractors’ involvement conditions.
D: Sovereign Services Protected from Extraterritorial Laws
Thésée Datacenter is a French company predominantly owned (directly or indirectly) by French nationals or entities, and no non-European entity or person from a non-EU country can exert decisive influence on Thésée Datacenter or its decisions, either directly or indirectly through one or more intermediary entities.
All services and personal data processing activities by Thésée Datacenter are provided and operated from and within French territory. In delivering its services, Thésée Datacenter does not transfer client data outside the European Union and commits contractually not to do so without client consent.
In case of a request from a state or authority (administrative, judicial, or other) outside the European Union for access to personal data hosted in its data centers, Thésée Datacenter commits to systematically oppose the request unless it is established to be in execution of a recognized and enforceable decision under EU law and the law of the EU Member State governing the processing concerned, in accordance with Article 48 of the GDPR.
3. HOW TO EXERCISE YOUR RIGHTS?
In accordance with the GDPR, you have the right to access personal data concerning you held by Thésée Datacenter, and the right to request their rectification, deletion, and/or portability, as well as the right to object to certain processing or restrict its scope.
These rights can be exercised with Thésée Datacenter’s Data Protection Officer:
- By email at: dpo@thesee-datacenter.com
- By postal mail to: Thésée Datacenter, Data Protection Officer, 32 rue du Clos Reine, 78410 Aubergenville, France.
In accordance with Article 12 of the GDPR, your rights requests must be accompanied by information demonstrating your identity. If in doubt, additional information or documents, such as proof of identity, may be requested by Thésée Datacenter to ensure your identity.
Your request will be addressed as promptly as possible and in any case within the time limits specified in Article 12 mentioned above.
For more information on managing your rights requests, see Section 1.G « Management of Rights Requests » above.
You also have the option to file a complaint with the Commission Nationale Informatique et Libertés (« CNIL »), the competent authority for personal data protection, at the following address:
Commission National Informatique et Liberté
3 Place de Fontenoy
TSA 80715
75334 PARIS CEDEX 07
Thésée Datacenter, a French expert in datacenter housing, offers Tier IV certified solutions, ensuring maximum availability for your critical data.
With an exceptional PUE of 1.2, Thésée Datacenter combines maximum protection with environmental responsibility.
OUR LINKS
CONTACT US
Thésée DataCenter 1
32 rue du Clos Reine
78410 Aubergenville
Thésée Data Center 2
146 Avenue Joseph Kessel
78960 Voisins le Bretonneux