GDPR
Code of Conduct
Charter for the protection of personal data (Directive 95/46/EC on the protection of personal data)
This Code of Conduct (hereinafter “CoC”) forms an integral part of the General Working Conditions of permanent employees and models represented by the Agency under a collaboration agreement and a civil mandate of representation.
It is passed on to both subcontractors and the Agency's various partners.
Employees, Models and Clients may not have any contractual relationships of any kind without having previously read, understood and expressly accepted this CoC.
The purpose of this CoC is to define the obligations of HINOLISARI SUCCESS and within the framework of the processing of personal data carried out within the framework of the contractual relationships of each of the parties concerned.
A. Regarding permanent staff
In the context of the implementation of the General Data Protection Regulation (GDPR) which comes into force on May 25, 2018, we inform you that the personal data collected about you is subject to processing intended for the human resources department, the paid leave management provider, as well as our external service providers in charge of payroll management and corresponding declarations.
This data processing is for the purpose of payroll management and mandatory social security declarations; maintaining the single personnel register; personnel administration; work organization; and employer-sponsored social welfare programs. This data is therefore transmitted, in particular, to the URSSAF (French social security collection agency), pension and insurance funds, the mutual insurance company, occupational health services, and soon to the French Treasury (as part of the implementation of income tax withholding), as well as to the aforementioned external service providers.
The data retention period is 5 years after the expiry of your employment contract (except in the event of any litigation initiated during this period and/or specific legal obligations).
You have the right to access, rectify, port, erase, or limit the processing of your personal data.
You can object to the processing of your personal data and have the right to withdraw your consent at any time by contacting Mr. Henry Chevalier
You also have the option of lodging a complaint with a supervisory authority.
B. Regarding the models
The agency strictly and in good faith applies the provisions of the directive of 25.05.2018 relating to the general data protection regime stipulated in our code of conduct.
The model acknowledges having been informed of and approving these arrangements.
The Model expressly acknowledges being informed that the AGENCY acts within the framework of this agreement as the executor of contracts enabling the Model to practice their profession, which notably involves the collection and processing of personal data. In this capacity, and without this list being exhaustive, the AGENCY transmits said data to the Client or various professional stakeholders involved in castings and/or assignments, whether through software or on the Agency's website. The purpose of this data processing is therefore to enable the Model to practice their profession.
The agency also manages, where applicable, the consequences of the execution of these contracts (salaries, rights, formalities, procedures with public administrations etc.) including the transmission of the data necessary for this execution to subcontractors.
The data retention period is 5 years after the expiry of your employment contract or mandate (except in the event of any litigation initiated during this period and/or specific legal obligations).
You have the right to access, rectify, port, erase, or limit the processing of your personal data.
You can object to the processing of data concerning you and have the right to withdraw your consent at any time by contacting Mr. Henry Chevalier or the DPO whose office is clearly identified and whose email address is included in this document.
You also have the option of lodging a complaint with a supervisory authority.
You can consult our Code of Conduct on the Agency's website or by contacting the company's IT department or by email at rgpd@successmodels.com
In this capacity and without this list being exhaustive, the Agency collects personal data which it transmits to the Client in the context of castings and/or missions, whether through software or on the Agency's website.
The agency also manages, where applicable, the consequences of the execution of these contracts (salaries, rights, formalities, procedures with public administrations, etc.).
WARNING
OUR PARTNERS AND EMPLOYEES ARE INFORMED THAT THE AGENCY USES SOFTWARE THAT ALLOWS IT TO CARRY OUT AND MANAGE THE PROCESSING OF PERSONAL DATA SO-CALLED "SENSITIVE", DUE TO THE NATURE OF THE SOFTWARE AND THE ACTIVITY OF THE AGENCY, NAMELY IN PARTICULAR THE PROCESSING OF DATA CONCERNING MODELS, WHICH IMPLIES THAT "SENSITIVE" DATA, SUCH AS SKIN COLOUR, EYE COLOUR, HAIR COLOUR OR EVEN THE ETHNIC ORIGIN OF PERSONS, IS PROCESSED.
THEREFORE, HINOLISARI SUCCESS GUARANTEES THAT IT HAS TAKEN ALL THE NECESSARY MEASURES FOR THE PROCESSING OF SENSITIVE PERSONAL DATA, IN REGARD TO CURRENT EUROPEAN LEGISLATION (GDPR OF 27 APRIL 2016) AND THE NATIONAL LEGISLATION APPLICABLE TO ITS ACTIVITY AND THE PROCESSING OF PERSONAL DATA FOR WHICH IT IS RESPONSIBLE.
HINOLISARI SUCCESS THEREFORE REQUESTS ITS CLIENTS AND PARTNERS TO ENSURE COMPLIANCE WITH THESE LEGISLATION AND TO INDEMNIFY IT AGAINST ANY LEGAL ACTION IN THIS REGARD. THE AGENCY ALSO GUARANTEES THIS COMPLIANCE AND FURTHER GUARANTEES THAT IT HAS OBTAINED EXPRESS AND UNEQUIVOCAL CONSENT FROM EVERY NATURAL PERSON SUBJECT TO PROCESSING, IN THAT:
1. Sending an email to all the contact addresses of all its models
2. Including on its website a link to this code of conduct and an information notice
3. Incorporating into its various contracts a clause relating to our code of conduct, particularly regarding collaboration agreements and representation mandates.
4. GDPR
5. Sending an email to all contact addresses of all its models regarding their rights and the possibility of accessing the code of conduct
6. Including on its website a link to this code of conduct and an information notice
7. Incorporating into its various contracts a clause relating to our code of conduct, particularly regarding collaboration agreements and representation mandates.
8. To have taken a non-exhaustive set of necessary measures in this manner to ensure the physical security and integrity of its computer network (external network administrator, firewall, anti-virus, etc.)
9. To have secured the Agency's website as much as possible, in particular by adopting the "https" standard. 10. To have secured the processing of personal data provided to the client in the context of using the booking software by asking them to expressly adhere to this Code of Conduct;
11. Undertaking to inform the competent authorities in the event of a breach of personal data processing by a third party
12. Requested all its partners and subcontractors to comply with the terms of the GDPR Regulation
13. Amends all IT service provider contracts to verify their compliance with GDPR regulations
14. Issues a memo to all employees regarding password security.
15. Have established a CNIL (CNIL) PIA register form in progress
16. Add legal notices to websites and a cookie acceptance method
17. Have taken out cyber risk insurance
18. Having sent a registered letter to the various subcontractors explaining that, in the absence of a contract compliant with the GDPR, we considered them to be in compliance.
19. Adherence to the AFCDP newsletter
20. Appoint a DPO
Servers and data backup/ Network administration
Personal data stored internally (main server and NAS server) is encrypted and access is password-protected. Backups are performed on cloud servers both at AWS (a GDPR-compliant server) located in Europe, and on an OVH server accessible via a VPN server, both located in Europe (see diagram).
HINOLISARI SUCCESS guarantees compliance with the provisions of European Regulation No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to
- Fair and transparent processing of personal data;
- Respect for the legitimate interests pursued by the model and permanent employees in its capacity as data controller;
- The pseudonymization of personal data;
- Notification to the supervisory authorities of breaches of processed personal data and communication of these breaches to the third parties involved so that they can communicate them to the persons concerned;
- Compliance with directives regarding the international transfer of personal data;
- Respect for confidentiality related to the processing of personal data.
HINOLISARI SUCCESS is authorized to process personal data on behalf of models and permanent staff, in order to provide the following service: provision of Software enabling the processing of personal data and sensitive personal data.
The nature of the operations carried out on the data is a processing which, within the framework of the activity of a modeling agency, allows the communication of certain personal data of actors, artists, photographers, hairdressers/makeup artists, casting directors, influencers, to manage files and photos, client agency records, and contacts, schedules, booking, etc.
The purpose(s) of the processing is the listing of data necessary for the management by agencies of the client portfolio and contacts.
The personal data processed includes names, surnames, photographs, email and physical addresses, appointments, sensitive data such as eye and hair color, ethnic and national origin, as well as bank details, passport number, identity card, social security, visas, and residence permits.
For the execution of the service covered by this contract, the data controller shall provide the subcontractor with the following necessary information: names, surnames, photographs, email and physical addresses, appointments, sensitive data such as eye colour, hair colour, ethnic origin, national origin as well as bank details.
HINOLISARI SUCCESS is committed to:
1. Process data only for the purpose(s) that are the subject of its mission
2. Process data in accordance with the instructions provided by the Client. If HINOLISARI SUCCESS considers that an instruction constitutes a violation of the European General Data Protection Regulation (GDPR) or any other provision of Union or Member State law relating to data protection, it shall inform the Client immediately. Furthermore, if HINOLISARI SUCCESS is required to transfer data to a third country or an international organization under Union or Member State law, it must inform the Client of this legal obligation before processing, unless the law in question prohibits such notification for important reasons of public interest.
3. Guarantee the confidentiality of personal data processed within the framework of this CoC.
4. Ensure that HINOLISARI SUCCESS staff authorized to process data are committed to respecting the confidentiality of the personal data processed. HINOLISARI SUCCESS guarantees that this staff has received the necessary training in personal data protection.
5. Take into account, for the software used, the principles of data protection by design and data protection by default.
6. In the event of subcontracting by HINOLISARI SUCCESS concerning the processing of personal data for which the Client is responsible
HINOLISARI SUCCESS may use another subcontractor (hereinafter, "the subsequent subcontractor") to carry out specific processing activities. In this case, HINOLISARI SUCCESS will inform the service provider in advance and in writing of any planned changes concerning the addition or replacement of other subcontractors. This information must clearly indicate the subcontracted processing activities, the identity and contact details of the subcontractor, and the dates of the subcontract. The Client has a minimum of 10 (ten) days from the date of receipt of this information to raise any objections. This subcontracting can only be carried out if the Client has not raised any objections within the agreed period. The list of subcontractors is as follows:
IT Initiative
DSA
DIGITAL TIDES
Any subsequent subcontractor is required to comply with the obligations of this CoC and, more generally, the General Terms and Conditions in their entirety, on behalf of and according to the instructions of the agency. HINOLISARI SUCCESS is responsible for ensuring that the subsequent subcontractor provides the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing complies with the requirements of the European General Data Protection Regulation (GDPR). If the subsequent subcontractor fails to fulfill its data protection obligations, HINOLISARI SUCCESS remains fully liable to the data controller for the performance of the other subcontractor's obligations.
7. Right of information for the persons concerned
HINOLISAI SUCCESS, the data controller, provides information to the persons concerned by the processing operations at the time of data collection and obtains their approval by several means (signature of information sheets, employment contracts, collaboration agreements, mandates).
Our GDPR policy is also reiterated:
- In the IT charter
- In our general terms and conditions of sale and work
- In our code of conduct accessible via our websites
8. Exercise of individuals' rights
HINOLISARI SUCCESS undertakes, when it is responsible for the processing of personal data, to fulfill its obligation to respond to requests from data subjects to exercise their rights: right of access, rectification, erasure and objection, right to restriction of processing, right to data portability.
1. Does not use mechanisms that practice automated individual decision-making (including profiling).
2. Only uses cookies on its websites for internal statistical purposes.
3. Does not resell in any way its customer lists, supplier lists and even less personal data of its different categories of staff.
When data subjects submit requests to HINOLISARI SUCCESS to exercise their rights, HINOLISARI SUCCESS undertakes, upon receipt of the email at the address provided at the time of data collection, to comply with these General Terms and Conditions and this Code of Contract, namely rgpd@successmodels.com
9. Notification of personal data breaches
HINOLISARI SUCCESS shall notify the CNIL, as well as any natural or legal person, of any personal data breach within a maximum of 48 (forty-eight) hours of becoming aware of it, by email to the address mentioned above, to the address provided at the time of subscribing to these General Terms and Conditions and this CoC, and/or by any other appropriate means.
This notification is accompanied by all relevant documentation in full transparency on the nature and scope of the data concerned in order to enable the persons concerned to assert their rights, protect their interests, ensure security, and, if necessary, notify the competent supervisory authority of this breach.
10. Security Measures
HINOLISARI SUCCESS is committed to implementing the following security measures:
• the encryption of personal data;
• The means to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• The means to restore the availability of and access to personal data within appropriate timeframes in the event of a physical or technical incident;
• A procedure aimed at regularly testing, analyzing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.
Please note that the premises of the various agencies are under video surveillance and remote monitoring with intervention in the event of an alarm activation. HINOLISARI SUCCESS undertakes to implement the security measures stipulated in this CoC.
11. Data output
Upon completion of the services related to the processing of this data, HINOLISARI SUCCESS undertakes to, at the Client's option:
• destroy all personal data or
• to return all personal data to the requesting person
The return must be accompanied by the destruction of all existing copies in the information systems. Once destroyed, HINOLISARI SUCCESS must provide written justification for the destruction.
12. Data Controller
HINOLISARI SUCCESS will inform any data subject of the name of the data controller in accordance with Article 37 of the European General Data Protection Regulation (GDPR), information also included in all relevant documents mentioned above. This Data Protection Officer (DPO) is Mr. Thierry Vannoorenberghe.
13. Register of Processing Activity Categories
HINOLISARI SUCCESS declares that it maintains a written record of all categories of processing activities carried out on behalf of its principals, clients or employees, data controller, including:
• the name and contact details of the data controller on whose behalf it acts, of any subcontractors and, where applicable, of the data protection officer;
• the categories of processing carried out on behalf of the data controller;
• where applicable, transfers of personal data to a third country or international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in Article 49(1), second subparagraph of the European General Data Protection Regulation, documents attesting to the existence of appropriate safeguards;
• where possible, a general description of the technical and organizational security measures, including, but not limited to, as needed:
* the encryption of personal data
* means to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
* means to restore the availability of and access to personal data within appropriate timeframes in the event of a physical or technical incident;
* a procedure aimed at regularly testing, analyzing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.
14. Documentation
HINOLISARI SUCCESS provides the data controller with the necessary documentation to demonstrate compliance with all its obligations and to allow for audits, including inspections, by the data controller or another auditor it has appointed.
The Client, as data controller, undertakes to:
1. Provide HINOLISARI SUCCESS with the data referred to in Article 2 of this CoC;
2. Document in writing all instructions concerning data processing by HINOLISARI SUCCESS;
3. Ensure, beforehand and throughout the duration of the processing, compliance with its obligations under the European data protection regulation;
4. Supervise the processing, including conducting audits and inspections at HINOLISARI SUCCESS.
5. The Client is informed and expressly agrees that, as the data controller, it is subject to a number of obligations, particularly with regard to the requirement to protect so-called "sensitive" data. In this respect, the Client undertakes to appoint a Data Protection Officer (DPO) responsible for monitoring compliance with personal data regulations through the processing carried out.
Transfer of personal data.
Your personal data will not be sold, rented or exchanged with third parties.
However, you are informed that we reserve the right to communicate to third parties your data fully anonymized and in aggregate form, that is to say in a form which does not allow you to be identified in any way whatsoever for the sole purposes of this agreement and within the limits thereof.
Retention period for personal data
Regarding data relating to the management and monitoring of relationships with users of our services:
Your personal data will not be kept longer than is strictly necessary for managing our relationship with you. However, data that serves as proof of a right or contract, and which must be retained to comply with a legal obligation, will be kept for the period stipulated by applicable law.
We retain your data for a maximum period of three (3) years from the termination of our commercial or contractual relationship. At the end of this three (3) year period, we may contact you again to ask if you wish to continue to receive information about our services.
Recipients of the collected and processed data
Our company's staff, the departments responsible for control (including the auditor) and our subcontractors will have access to your personal data.
We are only responsible for our use of your personal data, excluding any other uses made by clients or subcontractors.
Your personal data may also be shared with public bodies, exclusively to meet our legal obligations, legal professionals, ministerial officers and debt collection agencies.
Regarding audience measurement statistics:
Information stored on users' terminals or any other element used to identify users and enabling their tracking or attendance will not be kept for more than thirteen (13) months.
Security
We inform you that we take all necessary precautions, appropriate organizational and technical measures to preserve the security, integrity and confidentiality of your personal data and in particular, to prevent it from being distorted, damaged or accessed by unauthorized third parties.
Accommodation
We inform you that your data is kept and stored, for the entire duration of its retention, on the servers of the company Amazone and OVH, located in the European Union.
Your data will not be transferred outside the European Union in connection with the use of the services we offer you.
Cookie Policy
The agency uses cookies solely for statistical purposes using tools such as Google Stats.
This is mentioned on websites in the following way:
"By continuing to browse this site, you agree to the use of cookies solely for the purpose of compiling visitor statistics" (using the yes/no buttons)..
Regarding audience measurement statistics:
Information stored on users' terminals or any other element used to identify users and enabling their tracking or attendance will not be kept for more than thirteen (13) months.
The agency uses cookies solely for statistical purposes using tools such as Google Stats, as stated in the consent clause. Respect for your privacy is our priority.
We use cookie technology and process your personal data, such as IP addresses and cookie identifiers, to measure content relevance and gather information about the audiences who viewed it. By clicking "I agree," you consent to the use of this technology and the processing of your personal data for these purposes. You can change your mind and modify your consent at any time by returning to this site.
Data controller
The Agency is responsible for compliance with Directive 95/46/EC on the protection of personal data. Other partner companies are solely responsible for data processing, in accordance with this Privacy Statement. If personal data is communicated by another company that processes it, that company is also considered a data processor. As the Operator is designated as the Data Controller in this document, this responsibility also rests with each partner company or association.