CONTENTS

1. GENERAL PROVISIONS
1.1. Preamble
1.2. Interpretation
1.3. Purpose
1.4. General Principles

2. DATA PROCESSING IDENTIFICATION
2.1. Categories of Data Collected and Data Sources
2.2. Purposes of Processing
2.3. Data Retention Periods
2.4. Legal Basis
2.5. Data Recipients

3. MANAGEMENT OF INDIVIDUALS’ RIGHTS
3.1. Right of Access and Right to Obtain a Copy
3.2. Right to rectification
3.3. Right to erasure
3.4. Right to restriction of processing
3.5. Right to data portability
3.6. Right to object
3.7. Exercising our contacts’ rights

4. ADDITIONAL PROVISIONS
4.1. Subcontracting

5. USE OF PMSI DATA

6.CONTACTS
6.1. Data protection officer
6.2. Right to lodge a complaint with the CNIL
6.3. Updates

1. GENERAL PROVISIONS

1.1. PREAMBLE

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, also known as the General Data Protection Regulation (hereinafter GDPR), establishes the legal framework applicable to the processing of personal data. The GDPR strengthens the rights and obligations of data controllers, processors, data subjects, and data recipients.

Subsequently, to implement the amendments brought by the GDPR, Law No. 78-17 of 6 January 1978, known as the Data Protection Act, was amended by Law No. 2018-493 of 20 June 2018 through Ordinance No. 2018-1125 of 12 December 2018 relating to data protection.

The regulations applicable to the protection of personal data thus comprise the following texts:

• The GDPR;
• The Data Protection Act, updated with the aforementioned texts;
• Recommendations issued by the CNIL.

For the proper understanding of this policy, it is specified that:

• The “data controller” means the natural or legal person who determines the purposes and means of the processing of personal data. For the purposes of this policy, the data controller is APM International;
• The “data subjects” are the individuals who can be identified, directly or indirectly, by reference to personal data collected by the data controller, i.e., in the context of this policy, all contacts of APM International related to its clients, partners, and prospects regardless of their status, as well as internet users.

Article 12 of the GDPR requires that data subjects be informed of their rights in a concise, transparent, intelligible, and easily accessible manner.

1.2. INTERPRETATION

Whenever terms defined in Regulation (EU) 2016/679 appear in these clauses, they shall have the meaning given to them in the said Regulation.

1.3. PURPOSE

To ensure its proper functioning, our company is required to implement processing of personal data relating to our contacts within our clients, prospects, internet users, and partners in the context of commercial relationships and contracts concluded with them.

This policy aims to fulfill our obligation to inform and to remind our contacts within our clients, prospects, internet users, and partners of their rights regarding the processing of their personal data.

1.4. GENERAL PRINCIPLES

No processing concerning your personal data is carried out by our company unless it involves personal data collected by or on behalf of its services or processed in connection with its services and complies with the general principles of the GDPR.

Any new processing, modification, or deletion of an existing processing will be brought to the attention of our contacts within our clients, partners, internet users, and prospects through an update of this policy.

2. DATA PROCESSING IDENTIFICATION

2.1. Categories of Data Collected and Data Sources

Data are primarily collected directly from our contacts within our clients, partners, internet users, and prospects.

Accordingly, we only collect and use the data necessary for the conclusion or performance of contracts with our company, namely:

• Identity of the contact(s) responsible for a file or contacted for prospecting purposes (e.g., title, last name, first name);
• Professional contact details of the contact(s) responsible for a file or contacted for prospecting purposes (e.g., professional email, professional postal address, professional landline or mobile phone number, fax number);
• Professional information of the contact(s) responsible for a file or contacted for prospecting purposes (e.g., position, rank, role);
• Technical data depending on the use case (identification or connection data such as IP address or logs);
• Images of the contact(s) responsible for a file or contacted for prospecting purposes (e.g., in case of access to our premises).

2.2. Purposes of Processing

2.3. Data Retention Periods

We determine the retention period for the data of our contacts within our clients, partners, internet users, and prospects based on the legal and contractual obligations that apply to us, and, failing that, according to our needs.

As a general rule, data related to our clients, partners, internet users, and prospects must be retained only for the time strictly necessary to manage the commercial relationship. More specifically, we commit to respecting the following retention periods:

The retention periods indicated in the previous table are necessarily extended for the statutory limitation period as evidence in case of litigation. In this latter case, the retention period is extended for the entire duration of the dispute.

After the specified periods have elapsed, data is either deleted or retained after being anonymized, particularly for statistical purposes. Data may also be kept in cases of pre-litigation and litigation.

It is reminded that deletion or anonymization are irreversible operations and that APM International is no longer able to restore the data thereafter.

2.4. Legal Basis

The processing of data concerning our contacts linked to our clients, partners, internet users, and prospects, as presented above, is based on the following lawful grounds, which vary depending on whether the processing concerns clients, partners, internet users, or prospects :

2.5. Data Recipients

Recipients of data means the natural or legal persons who receive communication of personal data. Therefore, recipients can be both employees of APM International and external organizations.

We ensure that the data collected and processed within the framework of our relationships with our clients, partners, internet users, and prospects are accessible only to authorized internal and external recipients, and notably to the following recipients:

• Staff from the relevant departments authorized to manage the relationship with our contacts among clients, partners, internet users, and prospects, as well as their hierarchical supervisors;
• Staff from support departments, such as administrative, logistics, and IT services, and their hierarchical supervisors;
• Our service providers or support services (e.g., IT service providers);
• Competent authorities if we are required to share certain data with judicial officers, internal control services, etc.;
• In the event of a visit to our premises, reception staff who collect visitors’ data, whatever their status, in a register.

Regarding internal recipients, we determine which recipient may access which data according to an authorization policy and ensure that they are bound by confidentiality obligations.

Regarding external recipients, we inform you that the personal data of our contacts among clients, partners, internet users, and prospects may be communicated to some of our service providers or to any authority legally entitled to access such data (notably tax and social authorities). In such cases, APM International is not responsible for the conditions under which the staff of these authorities access and process the data.

3. MANAGEMENT OF INDIVIDUALS’ RIGHTS

3.1. Right of Access and Right to Obtain a Copy

Our clients, partners, internet users, and prospects have the right to request confirmation from us as to whether we are processing data concerning their members (employees, executives, etc.) in the context of contracts concluded with them or in relation to prospecting communications we send to them.

They may also request a copy of the data concerning their members that is being processed.

However, in the case of requests for additional copies, we may require our clients, partners, internet users, and prospects to bear the cost associated with providing these additional copies.

If requests from our clients, partners, internet users, and prospects are made electronically, the requested information will be provided in a commonly used electronic format, unless otherwise requested.

Our clients, partners, internet users, and prospects are informed that this right of access does not apply to confidential information or data for which disclosure is prohibited by law.

The right of access must not be exercised abusively, meaning it should not be used regularly with the sole intention of disrupting the proper execution of our services.

3.2. Right to rectification

Our clients, partners, website users, and prospects have the right to ask us to rectify certain data concerning their staff that may be outdated or incorrect.

3.3. Right to erasure

Our clients may only invoke the right to erasure concerning their personnel’s data in the following cases:

• The contract between our company and the client has been terminated and is no longer in effect;
• The personnel whose data is processed are no longer part of the client’s workforce and consequently wish to be removed from our client database.

Our prospects may exercise the right to erasure regarding their data to the extent that they have the right to object to receiving marketing communications.

3.4. Right to restriction of processing

Our clients, partners, internet users, and prospects are informed that this right does not apply if the conditions required by the applicable regulations are not met concerning the processing of personal data of their personnel members with whom we interact.

3.5. Right to data portability

Our clients, partners, internet users, and prospects are informed that this right is not intended to apply insofar as the conditions required by the applicable regulations are not met regarding the processing of personal data of their personnel members with whom we interact.

3.6. Right to object

Clients, partners, internet users, and prospects have the right to object to any commercial prospecting by postal mail, telephone, or electronic means, including profiling to the extent that it is related to such prospecting.

In the specific case of electronic prospecting, clients, partners, internet users, and prospects can at any time object to such prospecting either by clicking the link in the sent email or by modifying their preferences in their account on our website. By SMS, it is possible to object to any prospecting by sending “stop” to the number indicated in the received message.

3.7. Exercising our contacts’ rights

To exercise their rights, our clients, partners, internet users, and prospects must contact us either in writing, by postal mail, or by email at the following address: dataprivacy@apminternational.fr.

We make every effort to respond to requests within a reasonable timeframe, and preferably within one month from the receipt of the request.

However, in cases where processing the requests proves complex or if we face a high volume of rights exercise requests simultaneously, the processing time may be extended to two months.*

4. ADDITIONAL PROVISIONS

4.1. Subcontracting

We may engage any subcontractor of our choice in the processing of personal data of our contacts at clients, partners, internet users, and prospects.

Under the GDPR, a subcontractor means any natural or legal person who processes personal data on behalf of the data controller. In practice, this refers to the service providers with whom APM International works and who handle APM International’s personal data.

In such cases, we ensure that the subcontractor complies with its obligations under GDPR.

We commit to signing a written contract with all our subcontractors and impose on them the same data protection obligations that we adhere to ourselves. Additionally, we reserve the right to conduct audits of our subcontractors to verify their compliance with GDPR provisions.

5. USE OF PMSI DATA

APM International has obtained the renewal of the CNIL authorization (DE-2023-020) dated March 9, 2023, granting a unique decision for the implementation of automated processing for research and evaluation purposes on the national data of the Medicalization Program of Information Systems (PMSI).

The main objective of the PMSI is to analyze the medical activity of hospital establishments for budget allocation purposes. Within the PMSI framework, every stay in a healthcare facility, public or private, is subject to a systematic and minimal collection of administrative and medical information, primarily used for funding healthcare institutions (activity-based costing) and for organizing healthcare services (planning) https://www.health-data-hub.fr/snds.

APM International is authorized to reuse PMSI data for the following purpose: analyzing the evolution of the hospital landscape by constructing activity indicators related to care per establishment, group of establishments, categories of establishments, or by region, in view of implemented public policies.

Therefore, APM International processes pseudonymized health personal data, meaning data that does not allow direct identification of individuals (for more information on the protection of SNDS data, of which the PMSI database is a component, see: https://documentation-snds.health-data-hub.fr/snds/introduction/01-snds.html#la-securite-et-la-confidentialite).

To guarantee the protection of personal data originating from the PMSI, APM International has committed to strictly respecting the legislative and regulatory framework governing access to personal health data.

Regarding PMSI data, please be informed that you can exercise your rights of access, rectification, and opposition by contacting the director of the managing organization of the compulsory health insurance scheme to which you are affiliated, in accordance with the provisions of Article R.1461-9 of the Public Health Code.

You can find the list of processing operations performed on PMSI data by APM International, as well as associated publications, at: https://apm-international.fr/analytics-et-conseil/utilisation-des-donnees-du-pmsi-par-apm-international/

6. CONTACTS

6.1. Data protection officer

We have appointed a Data Protection Officer who can be contacted for any questions related to data processing at the following address: ebarbry@racine.eu.

6.2. Right to lodge a complaint with the CNIL

Our contacts with our service providers have the right to file a complaint with a supervisory authority, namely the CNIL in France, if they believe that the processing of their personal data is not compliant with the European data protection regulations. Complaints can be sent to the following address:

CNIL – Complaints Department
3 Place de Fontenoy – TSA 80715
75334 PARIS CEDEX 07
Phone: +33 1 53 73 22 22

6.3. Updates

This policy may be modified or adjusted at any time in the event of legal, case law, CNIL decisions and recommendations, or changes in practice.

Any new version of this policy will be communicated to our clients, partners, internet users, and prospects by any means we choose, including electronically (for example, by email or online publication).