Personal data protection policy

1. Who are we? Who are we?

The CASD is a public interest group whose members are:

– the State represented by the Minister of Economy, himself represented by the Director General of the National Institute of Statistics and Economic Studies (INSEE), Directorate General of the Ministry of Economy;
– the Group of National Schools of Economics and Statistics (GENES);
– the Centre National de Recherche Scientifique (CNRS);
– the Ecole polytechnique;
– HEC Paris.

CASD offers a service enabling duly authorised users to carry out – at a distance – processing for research, study, statistical or historical purposes on very detailed individual data, with powerful computing facilities and in strict compliance with national and European legislation and applicable confidentiality and security rules. These data are generated and produced by CASD partners, in particular by INSEE, official statistics, administrations and health data producers.
Data security is therefore at the heart of our business.

Through this policy, we want to inform you in a clear and transparent manner about the conditions under which we collect, process, store, archive and delete the personal data of our users, customers and partners.
You will also find a reminder of the rights you have over your personal data and all the information you need to exercise them. It is our responsibility as a partner to ensure that you can remain in control of the use of your data at all times.
Data security is our priority.

1.1 Data controller
The CASD, whose identity and contact details are specified under the heading “Legal information”, as the controller.

1.2 Our Privacy Officer
The Data Controller has appointed a person responsible for the personal data protection policy who you can contact:
by email at the following address: dpo@casd.eu
or
by mail to the following address:
Secure Data Access Centre (CASD)
5 avenue Henry le Chatelier
TSA 16643
91764 Palaiseau Cedex

2. Personal data that we process

Personal data is any information that directly or indirectly identifies a natural person, such as your name, address, telephone number, date of birth, IP address with which you connect to the Internet, etc.
Today, personal data is a valuable tool to provide you with the fast, efficient and personalized service you expect from us.

We mainly process personal data of two kinds:

– Personal data known as declarative data, i.e. data collected directly from you or from partners with whom we have a contractual relationship, as part of our continuous improvement policy and the operation of our service.
– Personal data related to the operation of products and services, generated in particular when using the CASD secure access system, for management and monitoring purposes.

As part of the processing operations to manage access to its services, CASD, as controller, collects and processes the following data:

– name, first name(s), e-mail address, telephone number

3. Purposes of our processing operations

The processing operations we carry out are carried out to ensure the following purposes:

  • Content management of a website;
  • User relationship management;
  • Management and use of the services offered on the site;
  • Use of data in a public interest mission;
  • Administrative management of the CASD;
  • Management of CASD services;

In the event of a request, we undertake to explain in a clear, concise and accessible manner what is being done in terms of data use and to maintain a dialogue with all those working with the CASD, in order to be able to support them and meet their expectations as effectively as possible.

4. Legal basis for our processing operations

These personal data processing operations are based on:

– the existence of our legitimate interest, or that of a third party, justifies that we carry out the processing of the personal data concerned;
– the execution of a contract binding us to you requires us to implement the processing of the personal data concerned;
– where applicable, the explicit consent of the persons concerned.

5. Shelf life

Your personal data are kept for the duration of the contractual relationship, increased by the mandatory retention periods, the legal limitation period and, in the event of a dispute, for the duration of the proceedings and until the expiry of the ordinary and extraordinary remedies.

The storage periods shall ensure that they do not exceed the time strictly necessary for the proper execution of the treatment. To determine each duration, we took into account:

– The different purposes for which these data are collected;
– The persons concerned by the collection;
– Compliance with legal, regulatory or professionally recognized obligations to which we are bound.

The storage of data, particularly in our users’ secure workspaces, is carried out according to rigorous validation procedures. We are committed to promoting good practices among users, customers, staff members and partners (in terms of confidentiality, data retention and archiving in particular).

6. Data recipients

These data are intended for the CASD, the controller, its authorised departments, namely the Project management service, the Data Management service and the IT department, as well as any subcontractors and partners.
The user acknowledges having been informed and accepts that personal data concerning him/her may be communicated to the above-mentioned recipients.

7. Rights of the data subjects

Any person concerned by a processing operation has the right to query, access, rectify, delete and transfer his or her data and the right to limit the processing operation.

Your request for the right to delete may, in certain cases, not be successful. For example, if the data is necessary for the performance of the services we provide to you under a contract or if we are required by law to retain your data beyond the duration of the contractual relationship. In order to exercise your right to delete, you will have to indicate the processing concerned and the reason for your request by e-mail to dpo@casd.eu so that we can ensure that it is not contrary to our legitimate interest or to any regulation to which we may be bound in terms of data retention.

As part of the exercise of the right to portability, we will return the declarative data to you. As a reminder, this refers to data that we may collect directly from you or indirectly from third parties with whom we have a contractual relationship. However, data related to the operation of the CASD service and personal data derived from public information will not be returned.
Any data subject has the right to object on legitimate grounds and the right to object to commercial prospecting. In addition, every person has a right to formulate specific and general directives concerning the storage, erasure and communication of his data after his death.

Specific post-mortem instructions and the exercise of rights are communicated by e-mail to dpo@casd.eu, accompanied by any means of establishing the person’s identity.

If, after contacting us, you consider that your rights over your data are not respected, you can file a complaint with the Commission nationale Informatique et libertés.

8. Non-communication of personal data

We do not sell or communicate to a third party the personal data centralized and collected by CASD.
Any communication of this data is made only in the context of specific procedures, legal obligations to which the CASD is subject or in the event of an injunction from a court.

9. Data Security

9.1 Our approach
We are committed to a policy of certification and monitoring the quality and security of our access service and its operating mode (confidentiality policy, information systems security policy, audit policy, ISO 27001 approach, staff training, processing monitoring, compliance with the health data security reference system, etc.) :

  • ISO 27 001 on information security management
  • Health data host
  • RGPD on the Bureau Veritas reference system (in the process of being approved by a European supervisory authority)

9.2 Our technology
We take the security of your data very seriously. In view of the nature of the personal data and the risks involved in the processing, we have taken a number of necessary measures to preserve them and prevent them from being distorted, damaged, made inaccessible or accessed by unauthorised third parties:

– Technical measures, such as encryption of data and communication channels between secure servers and remote access points (SD-Boxes) that can only be used with strong authentication; or the use by our agents of the SD-Box, making our information and management system completely secure;
– Physical measures, such as strict access control to our premises;
– Additional measures such as traces of user activity that help us to guarantee an optimal level of security.

9.3 Our employees sensitized
We have also taken organizational measures, through the training of teams dedicated to the issue of information security.
More generally, we make all our agents aware of the protection of personal data and ensure that they comply with the regulations in force and our ethics by signing an acknowledgement of the obligation of confidentiality in the performance of their duties.

9.4 Our trusted partners
We choose service providers who offer a high level of guarantees regarding the implementation of appropriate technical and organisational measures.
We ensure that the processing of your data remains under our control at all times and complies with the requirements of current regulations concerning the protection of personal data.