Personal Data Protection Charter

Sopra Steria Group S.A., with a capital of € 20,547,701, registered with the Annecy Company Register under n° 326 820 065, with headquarters located at PAE Les Glaisins, 3 rue du Pré Faucon, Annecy Le Vieux, 74940 Annecy, France, (hereinafter referred to as "Sopra Steria" or "we" or "us") attaches great importance to the protection of Personal data of the users of its Website (hereinafter referred to as "Users" or "You").

Some of the services offered on certain pages of our Website require the processing of Your Personal data. The purpose of this Notice is therefore to give You information on the ways Sopra Steria, as Data Controller, processes Your Personal data through its Website, including the use of cookies. This statement does not cover details relating to job applicants which can be found on our Careers portal (please consult the Candidate Data Protection Notice relevant for the recruitment process) or employees which can be found on our intranet.

This Notice complies with applicable laws including with Regulation (EC) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of Personal data and on the free movement of such data (“GDPR”).

Please note that this Notice may be updated from time to time by Sopra Steria. The date of the most recent update will appear on this page. We therefore invite You to consult it regularly.

What kind of Personal data do we process about You?
How is Your Personal data collected?
What are the Purposes of the processing of Your Personal data?
Marketing
Who are the recipients of Your Personal data?
How do we protect Your Personal data?
How long do we retain Your Personal data?
What rights are granted to You?
Who should You contact to exercise Your rights or if You have any questions?

1. What kind of Personal data do we process about You?

Depending on the circumstances we may process different categories of Personal data about You which we have grouped together as follows:

Identification data (including first name, last name, job position etc.)
Contact data (including email address, telephone number etc.)
Technical Data including internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices You use to access this Website
Profile Data including Your interests, preferences, feedback and survey responses
Usage Data including information about how You use our Website and Your interactions with marketing content
Marketing and Communication Data including Your preferences in receiving marketing materials form us or our third parties and Your communication preferences.

2. How is Your Personal data collected?

We use different methods to collect Personal data about You including through:

Direct Interactions. You may provide Your Personal data when You use one of the following Website features:

the form to contact us;
the form to subscribe to marketing communications or events;
the form to download reports, articles or other online content;
the platform to attend events run or sponsored by Sopra Steria;
the form to enter a competition or survey.

Automated technologies or interactions. As You interact with our Website, we may collect automatically Technical Data about Your equipment, browsing actions and patterns which might be used with other identifying data to establish other Personal Information about You. We collect these Data by using cookies, servers’ logs and other similar technologies. Please see our Cookie Policy for further details.

3. What are the Purposes of the processing of Your Personal data?

The table below describes:

The Purposes for which we process Your Personal data;
The Legal bases which legally authorise our collection and further processing of Your Personal data;
The categories of Personal data We process for each identified Purpose.

Purposes of the processing	Legal basis	Categories of Personal Data
To reply to Your inquiries/requests for information	Your consent	Identity data Contact data
To let You access and download online content such as whitepapers, reports, articles or other publications	Your consent	Identity data Contact data Marketing and communication data
To organize promotional activities and deliver marketing materials such as information about our products and services, events etc.	(a) If You are not a customer or prospect, Your explicit consent (opt-in consent) via a checkbox, or by taking a positive step during Your registration to receive this information or subscribe to these services (b) If You are a customer or prospect (B2B), Your consent via soft opt-in (opt-out consent).	Identity data Contact data Marketing and communication data Usage data Profile data
To allow You to subscribe to our Newsletters	Your consent	Identity data Contact data
To enable the use of cookies and/or other trackers – provided You agreed to it (except for strictly necessary cookies) – and subject to the terms and conditions detailed under our Cookies Policy	Your consent	Technical data Usage data
To use data analytics to improve our Website, products/services, marketing, customer relationship and experiences	Legitimate interest (to define types of customers for our products and services, to keep our Website updated and relevant, to develop our business and to inform our marketing strategy)	Technical data Usage data
To ensure the security of this Website	Legitimate interest	Technical data Usage data
To meet our legal obligations and defend our interests in the event of a dispute.	We may be subject to legal and regulatory obligations to disclose data and may also have a legitimate interest in using the data to defend ourselves in the event of a legal action	N/A. It depends on the specific case
To allow You to register to an event or webinar etc. via our Website	Your consent	Identity data Contact data Marketing and communication data Profile data Usage data
To organise competitions or conduct customer satisfaction surveys	Your explicit consent resulting from Your registration/ participation and the execution of the general terms/regulations governing these activities	Identity data Contact data Marketing and communication data Profile data

4. Marketing

4.1 Soft-Opt in & Opt-in

We do not ask Your consent to send You marketing communications for the promotion of our activities, products or services if You are a customer or prospect (B2B). In this case we use soft opt-in under applicable laws to deliver content to You. This means we do not ask for You to ‘opt-in’ via a checkbox, and instead provide You with the ability to ‘opt out’ at any time.

If You are not a customer or prospect, we use either Your explicit consent (via an opt-in checkbox), or another positive action, such as completing a registration form.

If you would like to know about Your marketing preferences, please contact contact-corp@soprasteria.com. We retain Your data for 3 years after the end of the commercial relationship with You or after Your last digital interaction with our organisation after which Your records will be removed from our marketing database. We may in some circumstances need to share Your Personal data with other Sopra Steria Group subsidiaries for marketing purposes.

However, we will not share Your Personal data with any company outside the Sopra Steria group of companies for marketing purposes without Your consent.

4.2 Opt-out

You can ask us to stop sending You marketing messages at any time by following the opt-out links on our marketing message sent to You, or by contacting us at contact-corp@soprasteria.com. If You opt-out of our communications, we will retain this instruction for a period of 18 months and will only retain Your email address for that period, after which Your data will be deleted.

5. Who are the recipients of Your Personal data?

5.1 Internal recipients

Depending on the specific purpose, Your Personal Data may be processed by internal authorised personnel (including marketing & communication, sales, administration, HR and other support functions) of Sopra Steria. Access to Your Personal data is limited to the performance of the tasks and functions of authorised personnel and is subject to an obligation of confidentiality.

5.2 External recipients

Your Personal data may also be processed by third-party service providers acting on behalf of Sopra Steria, such as our Website hosting provider or providers of marketing services. Our Website also contains cookies placed by third parties, as set out in our Cookie Policy. Please note that all our third-party service providers are required to take appropriate security measures to protect Your Personal information in line with our policies and requirements. We only permit them to process Your Personal data for specified purposes and in accordance with our instructions.

In addition, we may in some circumstances have to share Your Personal data with other recipients such as:

Other Sopra Steria Group subsidiaries;
Other third parties in connection with any merger, acquisition, partial sale of assets or other transaction relating to Sopra Steria or one of the companies in its Group;
To law enforcement authorities if required by law, including under a court order, or if such disclosure is necessary to defend our rights, to prevent fraud or computer crime, or to ensure the security of Sopra Steria or any other person, where required or permitted by applicable legal provisions.

Such disclosure shall be limited to what is strictly necessary to the extent permitted by applicable law.

5.3 Data sharing outside of the EU/EEA

Given the international dimension of the Sopra Steria Group, Your Personal data may be transferred to recipients outside the European Union/European Economic Area (EEA: EU Member States and Iceland, Liechtenstein and Norway), to countries that do not offer a level of protection up to the EU standard of essential equivalence. International transfers of Personal data may be necessary for the performance of Sopra Steria’s business activities and for its internal administrative management. Sopra Steria ensures that restricted transfers take place lawfully, using the transfer tools provided for by applicable regulations and providing appropriate safeguards and protection measures. You can obtain a copy of these guarantees by sending an email to the following email address: acces-cnil@soprasteria.com or support.privacy@soprasteria.com.

6. How do we protect Your Personal data?

We have put in place appropriate security measures to prevent Your Personal Information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we have procedures to deal with any suspected or actual Personal data breach.

Third parties will only process Your Personal Information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We limit access to Your Personal Information to those employees, contractors and other third parties who have a business need to know.

7. How long do we retain Your Personal data?

We will retain Your personal information for as long as necessary to fulfil the Purposes we collected it for, including for the Purposes of satisfying any applicable legal requirements. This means that the retention period may be defined differently depending on the Purposes pursued by the processing and the specific legal obligations.

Some of the retention periods applicable to Personal data collected on our Website are as follows:

as long as Your User account remains active,
for as long as we keep in touch with You through our promotional activities and three (3) years after the last interaction, unless You object to the processing of Your Personal data,
as long as required by the applicable law,
cookies and other trackers used on our Website are retained according to our Cookies policy.

It is possible that we may need to keep Your Personal data in intermediate archives with restricted access for evidentiary purposes beyond the above-mentioned periods to comply with legal obligations incumbent on us or, if necessary and in consideration of the statute of limitations, to enforce our rights.

Once Your Personal data is no longer required for the identified Purposes, to meet our legal obligations or to comply with the applicable statute of limitations, we ensure that it is completely destroyed or made anonymous.

8. What rights are granted to You?

Sopra Steria recognizes the importance of data subject rights and enables individuals to exercise them in the simplest and most effective way. Accordingly, we are open to Your questions on the conditions of processing of Your Personal data and to Your requests to exercise the following rights:

Right to access and obtain a copy of Your Personal data and information on how Your Personal data is processed;
Right to rectify Your Personal data if it is incorrect and the right to complete it if it is incomplete;
Under certain conditions, right to delete Your Personal data when it is no longer required for the purposes for which it was collected or processed. You also have the right to ask us to delete or remove Your Personal data where You have successfully exercised Your right to object to processing. Please note, however, that the right to erasure is not absolute. We may not always be able to comply fully with Your request of erasure due to specific legal obligations which will be notified to You at the time of Your request.
Right to object to the processing of Your Personal data on grounds relating to Your particular situation, if the processing is based on Sopra Steria's legitimate interest. You also have the absolute right to object where we are processing Your Personal data for direct marketing purposes. In some cases (with the exception of direct marketing), we may demonstrate that we have compelling legitimate grounds to process Your information which override Your rights and freedoms;
Right to restrict the processing of Your Personal data when You have exercised Your right to object or rectify Your data pending a response from Sopra Steria;
Right not to be subject to automated processing or profiling in relation to Your Personal data. Typically, this means decision-making by automated means, including Artificial Intelligence in order to make business decisions. Here, You have the right to ask for a living person to be involved in decisionmaking. You also have the right to ask us to review any decision made by automated means.
Right to withdraw Your consent to the processing of Your Personal data if such processing is based on Your consent.
Right to opt out of marketing communications. You have the right to refuse or opt out of marketing communications sent by Sopra Steria, regardless of whether Your data was collected and processed based on legitimate interest or consent, by contacting us contact-corp@soprasteria.com or by unsubscribing within any email communication we may send to You (found at the footer of each email).

9. Who should You contact to exercise Your rights or if You have any questions?

If You wish to exercise any of Your rights, please contact us at: contact-corp@soprasteria.com.

If You have any questions about this Notice please contact us at: acces-cnil@soprasteria.com or support.privacy@soprasteria.com.