This document is addressed to you if you are one of our customers, prospects, providers, suppliers or partners, or a visitor to the softfil.com website; it explains how your personal data is processed by SMA, in compliance with the General Data Protection Regulation (“GDPR”).
1. Who is responsible for the processing of your data?
The party responsible for processing your data is SMA, i.e. SOFT MEDICAL AESTHETICS, a simplified corporation under French law, whose registered office is located at 55, boulevard Pereire in Paris 17e (75017) and which has the intra-community VAT number FR01518712120.
As data controller, SMA is your point of contact for any questions relating to this Policy and the data processing described herein.
You can contact us by phone at +33 (0)1 70 62 90 09 or by email at firstname.lastname@example.org. You can also contact our Data Protection Officer (DPO) by email at email@example.com.
2. What data is collected about you, and for what purposes?
a. SMA customers and customer representatives
We collect and process various personal data related to our customers (such as healthcare professionals) and representatives of our customers who are legal persons (such as representatives of client clinics), for the purposes of :
- Management of the commercial relationship, including in particular the orders placed directly on the site softfil.com;
- Monitoring of quality and customer satisfaction, particularly through surveys, and traceability of our products;
- Keeping our accounts and fulfilling our tax obligations.
The data processed for these purposes includes identification data (surnames, first names, profession or position held), postal, telephone or electronic contact details, payment and more generally financial or commercial data (means of payment used, bank card details, amounts and content of orders), as well as our written exchanges with the data subjects (email exchanges, content of orders, responses to customer surveys, etc.).
The processing of this data is justified in that it is necessary for the purpose of performing a contract between SMA and the data subject (for natural persons) (Article 6.1.b) of the GDPR) or in that it is necessary for the pursuit of a legitimate interest of SMA, namely its legitimate interest in carrying out its commercial activity (Article 6.1.f) of the GDPR).
Certain specific processing operations (invoicing, accounting processing) are justified in that they are necessary for the performance of legal or regulatory obligations incumbent on SMA (Article 6.1.c) of the GDPR.
We collect and process various personal data relating to our service providers, suppliers, distributors and partners (including, in particular, partnering healthcare professionals in the context of our training courses, events and product tests) as well as their representatives for the purposes of:
- Management of the commercial relationship with the service provider, supplier, distributor or partner ;
- Management of our product traceability obligations ;
- Organization of our events, trainings and product tests ;
- Keeping our accounting records and fulfilling our tax obligations.
The data processed for these purposes include identification data (surnames, first names, profession or position held), postal, telephone or electronic contact details, financial or commercial data, as well as our written exchanges with the data subjects (email exchanges, responses to product test questionnaires, etc.).
The processing of such data is justified in that it is necessary for the purpose of performing a contract between SMA and the data subject (for natural persons) (Article 6.1.b) of the GDPR) or in that it is necessary for the pursuit of a legitimate interest of SMA, namely its legitimate interest in carrying out its commercial activity (Article 6.1.f) of the GDPR).
Certain specific processing operations (product traceability, accounting processing) are justified in that they are necessary for the performance of legal or regulatory obligations incumbent on SMA (Article 6.1.c) of the GDPR).
We collect and process data related to the visitors of the softfil.com website (users with an account on the site or simple visitors) for the purpose of :
- Technical management of the site (hosting, detection of bugs and attempts of cyber attacks) and personalization of its contents ;
- Management of the referencing of the site by the various search engines (natural and paid) ;
- Measurement of the audience of the site and its various contents ;
- Processing of messages received via the site’s contact form ;
- Management of user accounts ;
- Targeted advertising for our products.
The processing of this data is justified in that it is necessary for the purpose of pursuing legitimate interests of SMA, namely its interest in increasing the visibility, ergonomics and relevance of its website, in responding to messages addressed to it (Article 6.1.f) of the GDPR).
The processing of data related to user accounts is justified in that it is necessary for the execution of a contract between SMA and the persons concerned, namely the general terms and conditions of the site, accepted by the user when creating his account (article 6.1.b) of the RGPD).
The processing of data for targeted advertising purposes is justified by the consent of the data subject (Article 6.1.a) of the GDPR), manifested when accepting targeted advertising cookies.
We collect and process data about our prospects, institutional contacts and SoftFil newsletter subscribers for the following purposes :
- B2B prospecting (by email and/or phone) ;
- Management of the company’s communication, for example through events or publications ;
- Sending the Softfil newsletter and measuring the audience of this newsletter (opening rate, view, etc.).
The data processed for these purposes include identification data (name, surname, profession or job title), postal, telephone or electronic contact data, our written exchanges with the persons concerned (email exchanges) as well as information about the opening and reading of the newsletter by each subscriber.
The processing of this data is justified in that it is necessary for the pursuit of SMA’s legitimate interests, namely its interest in seeking new professional customers and communicating about the company’s activity and products (article 6.1.f) of the RGPD).
Special case: For newsletter subscribers whose professional activity is unrelated to SMA’s products and business activity, the processing of their data in the context of sending this newsletter is justified by their consent to receive the newsletter (Article 6.1.a) of the GDPR), as expressed when they subscribe to this newsletter. In other words, we only subscribe these individuals to our newsletter at their express request.
This consent can be removed at any time by unsubscribing from the newsletter via the link inserted at the bottom of each newsletter.
We collect and process data relating to participants in our professional training courses for the purposes of: :
- Organizing our training courses, including managing participant registrations; ;
- Implementing online training courses through a professional videoconferencing service.
The data processed for these purposes includes identification data (surnames, first names, profession or position held), postal, telephone or electronic contact details, audio and video feeds of the video conference training courses, as well as our written exchanges with the persons concerned (email exchanges, written feedback on the training courses, etc.).
The processing of this data is justified in that it is necessary for the pursuit of a legitimate interest of SMA, namely its interest in offering training courses to a professional audience, including online (Article 6.1.f) of the GDPR).
In addition to the above, we collect and process personal data in the following situations.
We process data about visitors to Softfil pages/accounts on the social networks Facebook, Instagram, Linkedin and Pinterest in order to measure the audience for these pages/accounts and for our publications on them. These data correspond to the navigation data of the visitors concerned on these different social networks; they are only accessible to us in the form of already aggregated statistics, without information on an individual level. This data processing is justified by SMA’s legitimate interest in managing its communication on the aforementioned social networks (Article 6.1.f) of the GDPR).
We may also process data relating to any persons (other than those mentioned in the above sections) involved or mentioned in a dispute or litigation involving SMA. The details of the data processed depend on the nature and circumstances of the dispute or litigation. This data processing is justified by SMA’s legitimate interest in defending its rights and interests, including in court (Article 6.1.f) of the GDPR))
3. How long will your data be kept?
SMA therefore retains the above-mentioned personal data for as long as it is necessary for at least one of the listed purposes, in accordance with the storage limitation principle of the GDPR.
In most cases, this corresponds to the period for which SMA is obliged to retain such data under a legal retention obligation (e.g. retention of accounting records for 10 years, imposed by the Commercial Code), or the period for which the data concerned may be necessary for SMA to protect itself from litigation or dispute. The table below details the maximum retention periods that may apply to different types of data.
Types of data
Intended maximum retention period
Customers, contractors, suppliers, subcontractors, distributors and business partners (or their representatives)
Invoices, credit notes and other accounting documents
10 years from the end of the accounting period concerned
Other data: contact information, copies of contracts, other information necessary for the execution of contracts (bank details, etc.)
5 years from the end of the commercial relationship
Identity and contact information, written exchanges with prospects
3 years from the last contact received
Identity and contact information, individual newsletter opening and reading statistics
Duration of the subscription to the newsletter (3 years maximum from the last opening of the newsletter)
Identity and contact information of participants
Time needed to organize the training
Connection and browsing logs
Messages received via the contact form and further exchanges
3 years from the last contact received
Identity and contact information, survey responses
Persons involved or mentioned in a dispute or litigation involving SMA
All relevant data for the management of the dispute or litigation
Limitation period applicable to the subject matter of the dispute/litigation
4. Who has access to your data? With whom is it shared?
a. SMA employees
SMA employees may access and process your data within the framework and limits of their respective missions.
We also use external service providers for the purposes listed below; these service providers may consult and/or store some of the personal data mentioned above, to the extent necessary for their mission.
- SaaS provider for the supply of our commercial management, inventory management and accounting solution (ERP), accounting assistance provider ;
- Providers of hosting and maintenance of the softfil.com website; providers of tools used for the management of the website content (including the online store) and the translation of this content;
- IT service providers for the maintenance, management and support of our IT resources (servers, software, networks) ;
- Internet access providers and our corporate telephone solution; hosting provider for our e-mail boxes ;
- Newsletter sending service provider ;
- Provider of video conferencing for online professional training ;
- Providers of solutions for analyzing the performance and ergonomics of the softfil.com site, providers of targeted advertising (social network publishers);
- SaaS provider for the organization of customer satisfaction surveys ;
- SaaS provider for the optimization of the softfil.com website referencing.
Some of these service providers may transfer or access your data from countries outside the European Union; in such cases, we have ensured that appropriate safeguards are in place for this transfer, in each case in the form of standard contractual clauses adopted by the European Commission and, where relevant, additional safeguards such as data encryption.
c. Other Data Recipients
We may also share certain data with the following persons and entities for the following purposes :
- Our distributors and partners, when it is necessary for our commercial management or for the organization of our trainings, events and product tests ;
- Our subcontractors and delivery service providers, for the management of the delivery of orders ;
- The editors of the social networks on which we have pages or accounts;
- The organizers of professional events in which SMA participates ;
- Our legal and financial advisors and auditors.
These persons and entities are all based in the European Union; if not, we will take appropriate measures to ensure the protection of the data transferred to them, primarily in the form of standard contractual clauses adopted by the European Commission.
5. What rights do you have to control the processing of your data?
You have a certain number of rights with regard to the processing of your personal data, as provided for by the regulations. You will find the details below.
You can exercise these rights by writing directly to SMA by e-mail at firstname.lastname@example.org.
Remember to indicate in your e-mail the nature of the right you wish to exercise and the reasons that justify, if any, your request to exercise this right.
You have the right to request a copy of the personal data we hold about you in an easily understandable format and a copy of this policy in a durable medium.
You have the right to ask us to correct, complete or update the data we have about you, if it seems inaccurate, incomplete or obsolete.
In this case, we would be grateful if you would spontaneously communicate to us, as far as possible, the new information necessary to proceed with the requested correction, completion or update.
With respect to the data processing operations listed above that are justified by SMA’s legitimate interests (see section 2 above), you have the right to object to them on grounds relating to your particular situation.
In other words, you may ask SMA to cease any of these processing operations with respect to you, stating the particular reasons that justify this request from your point of view.
However, SMA may refuse to comply with your request, if the continuation of such processing is necessary, in our opinion, for compelling reasons (for example: if the data concerned is necessary for the protection and defense of SMA’s rights in a court of law).
Opposition (if it is based on valid reasons and there are no compelling reasons against it) will lead to the cessation of processing for the future, but not necessarily to the destruction of the data concerned: in order to obtain such destruction, you must exercise your right to erasure under the conditions described below, it being specified that the latter is subject to limitations due, for example, to the need to retain the data for the protection and defense of SMA’s interests in court.
d. Right to limitation of processing
You can ask us to delete all or part of the data we have about you, if at least one of the following conditions is met:
- You have objected to the further processing of your personal data in accordance with the above, and would like SMA to delete the data concerned.
- The deletion of the data concerned is imposed by a legal obligation.
- You consider that SMA has collected and/or processed the data concerned in a manner contrary to the law.
- The deletion of the data concerned is imposed by a legal obligation.
- The data concerned relates to a person who was less than fifteen (15) years old when the data was collected.
Please be aware that SMA has the right to object to the deletion of certain data, when their retention is necessary for particularly important reasons, such as the protection and defense of its legal interests.
You should also be aware that we may choose to completely and irreversibly anonymize data instead of deleting it. In this way, we will be entitled to retain the data in a format that no longer allows you to be identified (e.g. for statistical purposes).
e. Right to cancellation of data
For example, if you do not exercise your right to erasure, you may also request that SMA “set aside” certain data about you, i.e., keep the data separate and not use it again (unless required by law).
You may make such a request when at least one of the following conditions is met :
- The data concerned appears to you to be inaccurate, and you prefer that SMA cease using it for the time necessary to verify and rectify it.
- You have exercised your right to object as described above, and you would prefer that SMA cease using the data in question for the time necessary to verify the validity of your objection.
- You consider that SMA has collected and/or processed the data concerned in a manner contrary to the law, but nevertheless prefer that we retain the data rather than delete it.
- The data concerned is no longer necessary for any of the purposes set out above, but you still wish SMA to retain it for the purpose of defending your legal interests.
In such cases, we will “quarantine” the data for as long as necessary, for example by marking it “Do not use – Right to restriction”.
You can ask us to send you a copy of the data whose processing is justified by your consent or the execution of a contract to which you are a party (see under section 2 above) in a customary computer format, allowing their re-use by yourself or another service provider.
This right to portability differs from the right of access in that its purpose is not to obtain a copy that can necessarily be read by you, but rather a copy that can be reused, in particular with a view to changing service providers..
Finally, you have the right to tell us how you want us to handle your data in the unfortunate event of your death.
In particular, you may ask us to destroy all of your data (subject to any compelling retention needs we may have, such as for the purpose of defending SMA’s legal rights), or to provide a copy of all such data to a person of your choice.
You may also designate anyone you choose to be responsible for carrying out these “last wishes”; this person does not necessarily have to be one of your heirs or even the executor of your estate.
► Summary table
What they allow you to obtain
Conditions, exceptions or limitations
Right to access
A legible and understandable copy of the data that SMA has about you, as well as a durable copy of this Policy
Right of rectification
The rectification, updating or completion of data concerning you
Clearly indicate the data to be corrected, completed or updated, as well as the new data if applicable
Right of opposition
The cessation of processing of your data for the future
Processing based on a legitimate interest of SMA (see under section 2 above)
Explain the reasons for discontinuing treatment based on your particular situation
Right to erasure
The deletion of your data, or their complete and irreversible anonymization
Right to limit processing
Retention of your data without further use
All data processing
See explanations in the text above (point d)
Right to data portability
A copy of your data in a common computer format, allowing their reuse by you or a service provider of your choice
Processing based on a contract or your consent (see section 2 above)
Clearly indicate, if applicable, the identity of the person or organization to whom you wish SMA to send the copy of the data
Right to set guidelines for what happens to your data after your death
Respecting your “last wishes” regarding your personal data (e.g. deletion or transmission to any person of your choice)
Clearly indicate the persons responsible for following up on the proper execution of your instructions, who will be our contacts after your death
► You consider that we have not responded satisfactorily to your request, or that we are processing your data unlawfully?
First of all, we invite you to contact SMA so that we can discuss the problem together and try to solve it in the best possible way.
However, if you wish, you have the right to contact the competent authority for data protection in France, namely the Commission Nationale de l’Informatique et des Libertés (CNIL), via its website cnil.fr or by mail at the following address CNIL – 3, place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07.
This right can be exercised at any time and does not entail any costs for you, apart from the cost of sending postal mail, if any, and the possible cost of assistance or representation if you choose to be assisted in this procedure by a third party.