PERSONAL DATA PROTECTION POLICY

The ORSYS group is committed to protecting its customers’ personal data. It undertakes to ensure the best level of protection in accordance with the European and French laws on the protection of personal data that apply to it.

For information on the protection of personal data, you may also refer to the website of the Commission Informatique et Liberté (French Data Protection Authority) at www.cnil.fr.

What are our principles regarding the processing of personal data?

Under prevailing laws, the processing of your personal data by ORSYS is based on the following principles:
  • The data collected is proportional to the purposes of the processing.
  • The purposes of each processing operation are determined, explicit and legitimate.
  • The processing is lawful, fair and transparent.
  • The data collected is the subject of both organisational and technical security measures. 

Who is the data controller in relation to my personal data?

The data controller is the company that defines the use to which your personal data is put and how it is used. For personal data collected via our websites and mobile apps, or when you contact our sales teams (needs analysis, orders, file monitoring, etc.), the data controller is:

ORSYS
1 Parvis de la Défense, la Grande Arche, Paroi Nord, 92044 Paris La Défense Nanterre, France
Trade and Companies Register no.: 482 761 160

Why ORSYS collects my personal data

ORSYS uses your personal data primarily for the following purposes:
  • Managing orders for training courses and the relationship with the customer, the effective delivery of training courses
    The vast majority of our customers are private companies and public bodies, and sometimes individuals. We need information about you to manage the professional training courses ordered by your employer, or by you, and any follow-up matters. For example: registration for an inter-company, intra-company or e-learning training session; sending your invitations or login details to our LMS (Learning Management System) platform; welcoming you to our training centres and rooms; delivering the training and monitoring the training periods; assessing your understanding; following up on the relationship with the customer, e.g. carrying out satisfaction surveys; managing complaints and the after-sales service.
  • Customisation of our services and the messages we send you Your data helps us to improve the services we offer you and the communications we send you. For example: we may send you personalised emails or recommend training courses linked to those you have previously taken and that match your interests.
  • Customer insight, statistics and performance of our website We may use anonymous data to analyse our website's activity and improve the services we offer. We carry out audience measurements, for example the number of pages viewed, the number of visits to the website, as well as the activity of visitors and their return frequency. We may use your data to produce internal statistics linked to your business relationship with ORSYS.

What personal data about me is collected?

Which data?

With regard to our customers and those involved in the purchasing of training courses (contacts from the training department, the human resources department, buyers, directors and operational managers), the personal data collected and processed principally comprises surnames, first names and business contact details (company, position, postal address, email address, telephone number), some login data, order history and any other information provided on an unprompted basis if its content is relevant and proportional to the purpose of the processing. 

For participants in ORSYS's training courses, the personal data is collected either from the employer or from the participant themselves at the time of registration. The data principally includes their surname, first name, business contact details (employer's name, profession, postal address, email address, telephone number), some login data, assessments of training courses taken, self-assessments on training outcomes, and any other information provided on an unprompted basis if its content is relevant and proportional to the purpose of the processing. 

The collection of participants’ data from the employer meets the legal obligation of employers to provide training to their employees. The collection of data from participants themselves meets the legal obligation referred to in the previous paragraph or the performance of vocational training as provided for in Article L 6313-1 of the French Employment Code. The data then needs to be collected in order to provide the training.

Where applicable, pursuant to Article D 5211-3 of the French Employment Code, ORSYS may collect information on disabilities in order to make any necessary adjustments to the training programme.

This information is only retained until the end of the training course. It is then deleted from our systems and no record thereof is kept.

When

We collect the information you provide to us, when: 

For those involved in the purchasing of training courses (contacts from the training department and the human resources department, buyers, directors and operational managers) 

  • You apply to open an Espace Pro customer account.
  • You place an order on one of our websites, mobile apps or with our sales teams (via email or a web form).

For people taking ORSYS training courses

  • You use a MyOrsys account to obtain educational resources for a training course you have taken.
  • You evaluate a training course you have taken.
  • You browse our websites and mobile apps and view our training products.
  • You contact our Customer Service department.

For everyone 

  • You submit a request for information.
  • You ask to register for one of our free events 

When data is collected online, an asterisk informs you whether the provision of the data is mandatory or optional.

What communications am I likely to receive?

  • Service emails
    Following an order or as part of the management of an agreement, you will receive emails enabling you to track your order or the performance of your agreement (confirmation of orders, organisation of training courses, retrieval of administrative documents, etc.). These service messages are necessary for the proper performance of the orders and services you have requested. The receipt of this information is not linked to the choices you have made on the receipt of commercial communications. 
  • Sales emails and newsletters
    By becoming a customer, you may receive information and offers from ORSYS by email, unless you have objected thereto. These messages allow you to keep abreast of news at ORSYS, changes to its training courses, session availability, and events such as conferences on topical events (seminars and webinars). We measure the open rate of our electronic communications so that they can be optimally tailored to your needs. 
  • Direct mail
    If you have not objected thereto, you may receive offers and information by post, for example our general or themed catalogues.

On what legal basis and for what period are my personal data processed?

The processing of your personal data is justified on various grounds (legal basis) based on the use we make of the personal data. Below are the legal bases and retention periods that we apply to our main processing operations.

Legal bases of processing

The applicable legal bases include the following:
  • Direct mail
    If you have not objected thereto, you may receive offers and information by post, for example our general or themed catalogues. 
  • Consent: you agree to the processing of your personal data by expressly consenting thereto (by ticking a box, or email or telephone contact with your ORSYS sales representative). You may withdraw this consent at any time. 
  • Legitimate interest: ORSYS has a commercial interest in processing your data that is justified, balanced and does not infringe your privacy. Subject to certain exceptions, you may at any time object to processing based on a legitimate interest, by reporting it to ORSYS. 
  • The law: the processing of your personal data is required by law.

Retention periods

Most of the data (your customer account information, order history, etc.) is retained for as long as you are an “active” customer and for a period of 5 years from your most recent activity. Your data is then archived with restricted access for an additional period on limited grounds authorised by law (payment, requests for old documents such as training certificates or diplomas, etc.). After this period, it is deleted.
Purpose of processing Legal basis Retention period in the operational database Archiving Useful observations
Management of orders for training courses or related services Agreement 5 years from most recent activity 5-10 years Customers are active, for example, when they register themselves or any of their employees, undergo training, meet one of our sales representatives or log into their account.
Use of the Espace Pro account (for advisers) or MyOrsys account (for participants) Agreement 5 years from most recent activity 5-10 years  A purchasing customer is active, for example, when making a purchase, retrieving administrative documents or logging into their Espace Pro account. A participating customer is active when they have taken a training course or log into their MyOrsys account.
Sending of documents by post (direct marketing) by ORSYS Legitimate interest 5 years from most recent activity N/A As part of managing your customer account, you may receive hard copy communications from ORSYS relating to its products or services (general and thematic catalogues, brochures, etc.). You can object thereto at the time the account is created and then at any time.
Sending of messages by email (electronic direct marketing) by ORSYS Legitimate interest 5 years from most recent activity N/A As part of managing your customer account, you may receive electronic communications from ORSYS relating to its products or services. You can object thereto at the time the account is created and then at any time.
Sharing of data within the ORSYS group for KYC purposes Legitimate interest 5 years from most recent activity 5-10 years You can notify us at any time, by post or email, that you object to the information being shared within the ORSYS group.

What measures are taken to secure my data?

ORSYS implements technical and organisational measures to prohibit unauthorised access to or the unauthorised disclosure of data: 

  • Access to our premises and IT environments is secure. 
  • Access to, the sharing of and the transfer of data are secure. 
  • All our employees who access personal data are trained in confidentiality requirements.

Who are the recipients of my data?

Transfer of data to subcontractors

The data that we collect may be sent to the service providers (subcontractors) engaged by ORSYS to carry out its training courses for the purposes set out above, mainly for the purpose of actually delivering face-to-face or remote training courses.

Data sharing within the ORSYS group

Your data may also be sent to other subsidiaries of the ORSYS group for research and KYC purposes. You can request an up-to-date list of the group entities to which your data may be sent.

Sharing data with third parties

ORSYS only shares your data, and as little thereof as possible, with the service providers that deliver its training courses and with companies that collect and certify Customer Notifications. In the latter case, the data transferred (your first name, the first letter of your surname, your opinion on one of our training courses) does not allow you to be identified by name.

How do I express my choices concerning the use of my data?

You may withdraw your consent or object to the use of your data at any time: 
  • By email to rgpd@orsys.com
  • By post to ORSYS, Traitement des données personnelles, 1 Parvis de la Défense, La Grande Arche, Paroi Nord, 92044 Paris La Défense. 
  • If you have an account, online in your Espace Pro area (for training purchasers) or in your MyOrsys (for those participating in our training courses). 

All our advertising emails contain an unsubscribe link, allowing you to object to the use of your email address at any time.

What are my rights with regard to the use of personal data?

In accordance with the laws on the protection of personal data, you may exercise your rights (access, rectification, deletion, objection, limitation and data portability where applicable) by writing to rgpd@orsys.com or by post to ORSYS, traitement des données personnelles, 1 Parvis de la Défense, la Grande Arche, Paroi Nord, 92044 Paris La Défense. To enable us to respond quickly, please provide us with your surname(s)/first name(s), company, work email address used in your dealings with ORSYS, as well as the requested change. Certain requests to exercise your rights (right of access) must be accompanied by a signed photocopy of an identity document in order to verify your identity and specify the address to which the response should be sent. A response will then be sent to you within one month of receipt of the request. ORSYS has a Personal Data Protection Officer (DPO) who is responsible for ensuring the protection of personal data. You can contact ORSYS's DPO by writing to dpo@orsys.com (other than to exercise your rights, which is principally carried out by writing to rgpd@orsys.com)

Is my data transferred outside the European Union?

Your data collected as part of your business relationship with ORSYS is not transferred outside the European Union.

What about the personal data of minors?

ORSYS’s services are not intended for minors, and ORSYS does not therefore process data that specifically relates to minors.

What Cookies are used?

The cookies used by www.orsys.lu allow us to collect your visitor data in a manner that:
- helps us to understand how you use our website and thus improve your user experience;
- allows us to offer you personalised advertising content. 

Several types of cookie may be stored: 

- Technical browser cookies:
Technical cookies are those cookies used during browsing that are either strictly required in order to provide the website, or to facilitate and perform certain functions on the website. For example, a technical cookie can be used to record the type and version of your browser, the dates and times of your visit, your login details, the history and content of your orders, including incomplete orders. Accordingly, when you log in subsequently, you no longer need to re-enter some of your information. 

- Audience measurement cookies:
Audience measurement cookies are used to calculate usage statistics, assess the website's usability, and also detect issues in browsing on the website or organise certain content. 

Cookies used:
- Google Analytics: to analyse statistics on the use of our website 
- Hotjar: to analyse the way in which our website is used 

- Advertising cookies:
Advertising cookies are used to recognise users who return to the website or visit another website. As a result of these cookies, visitors can be tracked through the website. The aim is to display the most relevant advertisements to users based on their interests. 

Third parties (in particular advertising agencies, social networks, service providers such as retargeting services or behavioural analysis services) may also use cookies. These cookies may be used to analyse performance or to appropriately target advertisements displayed on the Internet browser. Information on the use of ORSYS’s website is made available to these third parties, who may combine it with other information they themselves have collected during your use of their services. 

Cookies used:
- Google Ads: to identify visitors from the Google search engine
- Facebook: to identify visitors from that site
- Linked: to identify visitors from that site
- Instagram: to identify visitors from that site
- Twitter: to identify visitors from that site
- Dialog Insight: to identify visitors from our advertising emails 

To benefit from all the website's features, it is preferable for users to accept all cookies. However, users may object to these cookies being stored by directly configuring their Internet browser. Aware of the inconvenience for you of altering your browser's settings, we make every effort to provide you, as rapidly as possible, with a consent management platform that complies with the CNIL's recommendations. 

Configure your cookies via your browser:
If you wish to delete cookies that are currently stored on your computer, you can do so via your browser settings (see below): 

For Google Chrome 

  • Click on the Tools menu icon. 
  • Select Settings. 
  • Click on the Advanced Options tab and go to the "Privacy" section. 

>>Find out more: Chrome documentation 

For Internet Explorer 

  • In Internet Explorer, click on the Tools button, then click on Internet Options. 
  • Under the General tab, under Browsing History, click on Settings. 
  • Click the View Files button. 
  • Click on the Name column header to sort all files into alphabetical order, then scan over the list until you see files beginning with the "Cookie" prefix (all cookies have this prefix and generally contain the name of the website that created the cookie). 
  • Select the cookie(s) that include(s) the name “orsys” and delete them. 
  • Close the window that contains the list of files, then double-click on OK to return to Internet Explorer. 

>>Find out more: Internet Explorer documentation 

For Firefox 

  • Go to the Tools menu of the browser and select the Options menu. 
  • In the window that appears, choose “Privacy and Security” and click on “Manage Data”. 
  • Find the files that contain the name "orsys", select them and delete them. 

>>Find out more: Firefox documentation 

For Safari 

  • In your browser, choose the Edit > Preferences menu. 
  • Click on Security. 
  • Click on View Cookies. 
  • Select the cookies that contain the name “orsys” and click Delete or Delete All. 
  • After deleting the cookies, click on Done. 

>>Find out more: Safari documentation 

 The CNIL's website contains details of your rights in this area https://www.cnil.fr/vos-droits/vos-traces/les-cookies/

What data is collected by mobile applications?

Use of your data in connection with the ORSYS app

If you use the ORSYS mobile app, certain personal data may be collected by the publishers of the operating systems used in your mobile telephone or tablet. We invite you to read the privacy policies of the publishers of the operating systems (iOS, Android, Windows, etc.) in order to find out how your data is used by publishers of operating systems in their capacity as data controllers.

Date of last update: 07-02-2021