It meets, and in some cases even exceeds, the main requirements laid down by the legislation and regulations in force. It also complies with other specific Asmodee Group policies relating to the collection and use of Personal Data implemented by each entity of the Asmodee Group to cover the specific needs of day-to-day Personal Data Processing (e.g. policy on cookies, specific local policies such as charters relating to the protection of employees' Personal Data). This Policy takes into consideration the fact that some of the Asmodee Group's Subsidiaries are based in countries that adopt different approaches to privacy and the protection of Personal Data from a legal and cultural perspective. In some countries, the Policy may be supplemented by other policies or procedures in order to comply with applicable legislation and local cultural norms.
In the event of a conflict between this Policy and local data protection policies or local law, or in the event that the provisions of this Policy cannot be enforced, the local policy and local law will prevail.
For your ease of understanding, a number of useful definitions are provided in section 2 of this Policy.
1. What is the scope of this Policy?
1. This Policy covers all Personal Data in any form, such as electronic data, documents on paper or on disks, as well as any type of Processing, whether manual or automated, belonging to or controlled by the Asmodee Group, in all countries where the Asmodee Group is present. This includes information about members of the Asmodee Group, its partners, employees, consultants, customers, consumers, suppliers, professional relations and any third parties.
2. The protection of minors is our main concern and we have implemented various reasonable measures to prevent the Processing of Personal Data concerning them. Therefore, we do not process Personal Data about children without first verifying their numerical majority, which may vary from country to country, or without obtaining the consent of the person exercising parental authority on their behalf if they are under the minimum age required to provide us with their Personal Data.
3. This Policy also applies to any Third Party that provides services for or on behalf of the Asmodee Group. Such Third Parties must adhere to standards of conduct consistent with the principles of this Policy.
1. Asmodee Group: means the Financière Amuse BidCo (Versailles Trade and Companies Register: 815 143 904) as well as the various Subsidiaries of Financière Amuse BidCo that are part of the Asmodee Group.
2. Subsidiary: means any company or entity that directly or indirectly controls or is controlled by or under common control with Financière Amuse BidCo. Control of an entity means the possession, directly or indirectly, of the power to direct or cause to be directed the management or policies of such entity, whether through ownership of voting securities, by contract or otherwise.
3. Third Party: means a third party or business partner who is entrusted with Personal Data by or on behalf of the Asmodee Group, such as suppliers, first level or higher level sub-contractors or providers of other types of services.
4. Data Subject: means an identified or identifiable person whose Personal Data is processed by the Asmodee Group.
5. Informed Consent: means any freely given and informed indication of the consent of the Data Subject with regard to the Processing of his/her Personal Data.
6. Personal Data: means any information enabling a natural person to be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, psychological, economic, cultural or social identity. Data are considered personal when they allow anyone to associate information with a specific person, even when the person or entity holding the data is not able to establish the link by itself.
7. Sensitive Data (or special categories of data which include data revealing a natural person's ethnic or racial origin, political opinions, religious or philosophical beliefs or trade union membership, and the Processing of genetic data and biometric data for the purpose of uniquely identifying a natural person, data concerning health, the sexual life or sexual orientation of a natural person) and Personal Data relating to criminal convictions or offences constitute a sub-category of Personal Data, which by their nature have been classified under applicable law or policy as requiring additional protection measures in terms of confidentiality and security.
8. Data Processing or Processing: means any operation or set of operations applied to Personal Data, whether or not automated, such as collection, recording, organization, conservation, access, adaptation, modification, extraction, consultation, use, communication, dissemination or any other form of making available, alignment, interconnection, limitation, erasure or destruction (the Processing will be interpreted accordingly).
3. How do we guarantee the legality, fairness and transparency of the Processing of Personal Data that we carry out?
Personal Data are processed (i) on legal bases (ii) with informed information for the Data Subjects.
1. We use Personal Data only:
- for the purposes of the performance of a contract concluded with the Data Subject (examples: our employees, our subcontracting companies, our customers, our suppliers, etc.); or
- to comply with a legal obligation; or
- when the use of Personal Data is justified by a legitimate operational need or reason to carry out our activities (for example: the Processing of Personal Data to get to know our customers better); or
- where we have obtained the Informed Consent of the Data Subject where such consent is expressly required. Thus, when required by law (for example, to communicate commercial information by electronic means) or by the applicable local Personal Data protection policy, the relevant Asmodee Group Subsidiary may be required to obtain the consent of the Data Subjects for the purposes of collecting, using, storing or communicating their Personal Data. This may also be the case where none of the legitimate reasons described above apply, within the limits of the legislation in force.
2. We consider it important to assess the privacy risks before collecting, using, storing or disclosing Personal Data, for example when implementing a new system or in the context of a project.
3. The Asmodee Group will only process Personal Data in accordance with what is indicated in its specific notices or policies for the protection of Personal Data and in accordance with any Informed Consent it has obtained from the Data Subject.
4. The Asmodee Group does not carry out profiling operations on the basis of automated decision making, except in cases based on a legal requirement or to meet the needs of the execution of a contract or subject to the consent of the Data Subject and provided that appropriate safeguards are implemented to protect the rights of the said person.
6. Wherever legally required, we ensure that Data Subjects have access to relevant information on the Processing of their Personal Data, unless this is impossible or requires disproportionate efforts. Such information includes in particular the purposes of the Processing of Personal Data, the types of Personal Data collected in case they do not originate directly from the Data Subject, the categories of recipients, the list of rights likely to be exercised by the Data Subjects, the consequences of failure to respond, the conditions of transfer of Personal Data outside the European Union (hereinafter "EU") if applicable, the mechanisms used to protect Personal Data in case of transfer, etc. We comply with this request by providing the Data Subject with a fact sheet relating to the protection of Personal Data at the time of the collection of their Personal Data. Fact sheets relating to the protection of Personal Data must be drafted in such a way that the Data Subjects can easily understand the use made of their Personal Data.
4. How do we process Personal Data for specific and legitimate purposes and how do we verify the accuracy and minimization of such Personal Data?
Personal Data is collected and processed only for legitimate purposes, in accordance with the principle of minimization and the principle of accuracy.
1. They are collected for one or more specific, explicit and legitimate purposes. They shall not be treated beyond these purposes or in a manner incompatible with them.
2. We carefully evaluate and define the purposes of Personal Data Processing before launching a project (e.g. recruitment data management, payroll, accounting and financial management, risk and employee security management, allocation of IT tools, and any other digital solutions and collaborative platforms, IT support management, health and safety management, information security management, customer relationship management, bidding, sales and marketing, procurement, internal, external and event communication management, compliance with anti-money laundering measures and any legal obligations, particularly in terms of anti-corruption, implementation of compliance processes, mergers and acquisitions management, etc.).
3. We ensure that the Personal Data we collect are relevant, appropriate and limited with regard to the purposes of the Processing and their possible use (consumer insights, marketing, promotions, etc.). This means that only data which are necessary and relevant to the purposes pursued are collected and processed.
4. When collecting Sensitive Data or data relating to criminal convictions or offences, the principle of proportionality is fundamental. We do not collect Sensitive Data or data relating to criminal convictions or offences, unless required or permitted by applicable law or unless the Data Subject has expressly given his or her prior consent.
5. All reasonable steps are taken to ensure that Personal Data are accurate and kept up to date at each stage of their Processing, i.e. during collection, transfer, storage and retrieval.
6. We encourage Data Subjects to help us keep their Personal Data up to date by exercising their rights, in particular their rights of access and rectification.
5. What are the security and protection measures for Personal Data that we implement?
Given that employees, customers, suppliers, consumers and business partners trust the Asmodee Group when they provide the Asmodee Group with their Personal Data, the Asmodee Group guarantees the security and protection of said data during Processing.
1. We protect all Personal Data that we collect, use, store and communicate to us in the course of our activities by complying with the use policies, technical and organizational policies, standards and procedures.
2. The sector's standard technical and organizational measures are implemented to prevent accidental or unlawful destruction or loss, alteration, unauthorized communication or access or any other unlawful or unauthorized form of Personal Data Processing.
3. When a Processing is to be carried out on its behalf by a Third Party, the Asmodee Group selects service providers offering sufficient guarantees to implement the appropriate technical and organizational measures so that the Processing of Personal Data complies with the provisions of the legislation in force and so that the rights of the Data Subjects are guaranteed.
4. The Asmodee Group strives to take all reasonable measures based on the principles of "Privacy by Design" and "Privacy by Default", as specified below, in order to implement the necessary guarantees when processing Personal Data. The Asmodee Group therefore adopts technical and organizational measures from the earliest stages of processing operations in order to preserve privacy and the principles of Personal Data protection from the very beginning of the process ("Protection of Personal Data from the Design of the Processing" or "Privacy by Design"). By default, the Asmodee Group ensures that Personal Data is treated in a confidential manner (e.g., only necessary Personal Data is processed, short retention period, limited accessibility) so that such data is not accessible to an indeterminate number of people ("Default Protection of Personal Data" or "Privacy by Default").
5. In the event that a particular Processing of Personal Data presents high risks to the rights and freedoms of the Data Subjects, we assess the privacy implications prior to its implementation.
6. Any invasion of privacy, no matter how small, leads to action. We will investigate any claim relating to any potential or actual breach of this Policy or of applicable law brought to our attention or of which we have become aware. We take all reasonable steps to limit the effects of such breaches.
6. How long do we keep your Personal Data?
1. Any person processing Personal Data on behalf of the Asmodee Group will keep them for as long as necessary for the purposes for which they were collected and processed (as well as for any other compatible purpose). It could be:
-to meet the needs of or support a business activity; or
-to comply with a legal or regulatory provision and the conditions of the applicable statute of limitations;
-to defend itself in an action based on a breach of a legal or contractual obligation (in which case, the Personal Data may be retained until the end of the relevant statute of limitations or in accordance with any retention policy in the context of legal proceedings).
2. Personal Data is retained and destroyed in accordance with the applicable legislation and any applicable retention policy of the Asmodee Group.
7. What are your rights as a Data Subject?
We are attentive to any request, question or query from Data Subjects in relation to their Personal Data. Where required by law, we allow Data Subjects to access, rectify, limit or delete their Personal Data as provided for by applicable law. We also allow them to object to the Processing of their Personal Data and to exercise their right to portability.
1. Right of access: as required by law, we give Data Subjects access to all of their Personal Data as well as to the categories of data processed and recipients, to the retention period, to the rights of rectification, deletion or restriction of the Personal Data where appropriate.
2. Right to portability: We are also able to provide a copy of any Personal Data that we maintain in our files in a compatible and structured format to enable the exercise of the right to portability of Personal Data to the extent permitted by applicable law.
3. Right of rectification: Data Subjects may request that any incomplete, obsolete or inaccurate information be rectified, modified or deleted.
4. Right to deletion: Data Subjects may request that their Personal Data be deleted when one of the following grounds apply: (i) the Personal Data is no longer necessary for the purposes for which it was processed; (ii) the Data Subject withdraws his or her consent to the Processing of his or her Personal Data; (iii) the Data Subject objects to the Processing of his or her Personal Data; (iv) the Personal Data is being processed unlawfully; (v) the Personal Data must be erased to comply with a legal obligation applicable to the Asmodee Group. The Asmodee Group will take all reasonable steps to inform other entities belonging to the Asmodee Group of such deletion.
5. Right to limitation: in cases where: (i) the accuracy of the Personal Data is disputed, to allow the Asmodee Group to verify it; (ii) the Data Subject wishes to limit rather than delete his Personal Data, despite the fact that it is being unlawfully Processed; (iii) the Data Subject wishes the Asmodee Group to retain his or her Personal Data, as it is necessary to defend his or her rights in court; (iv) the Data Subject objects to the Processing, but the Asmodee Group verifies the legitimate reasons for the Processing. These grounds are likely to prevail over the rights of the Data Subject.
6. Right to withdraw consent: where the Processing of Personal Data is based on the consent of the Data Subject, the Data Subject may withdraw his or her consent at any time without prejudicing the lawfulness of the Processing based on consent prior to such withdrawal.
7. Right of opposition: the Data Subject may oppose at any time to the Processing of his/her Personal Data:
-when Personal Data is processed for the purposes of canvassing or profiling and direct mail, or
-to oppose the communication of Personal Data to Third Parties or within the Asmodee Group, or
-where the processing is based on the legitimate interests of the Asmodee Group, except where the Asmodee Group demonstrates that there are legitimate and compelling reasons for the processing operation which override the interests, rights and freedoms of the Data Subject or that the processing is necessary for the establishment, exercise or defense of legal claims.
The Data Subject also has the right to lodge a complaint with the competent supervisory authority.
8. When and how do we disclose your Personal Data to Third Parties?
Personal Data is disclosed outside the Asmodee Group only when permitted by law.
1. The communication of Personal Data may only be made to persons (natural or legal persons) who need to have access to it, to have knowledge of it and when the transfer of Personal Data is clearly justified: either because the Data Subject has consented to the transfer or because the disclosure of the Personal Data is necessary for the proper performance of a contract in which the Data Subject participates, or for a legitimate reason that does not infringe upon the fundamental rights of the Data Subject, including his or her right to privacy (for example, disclosure of Personal Data in the context of a merger or acquisition, etc.). In each case, the Data Subject must be informed of the likely disclosure of his/her Personal Data. The recipient will also be required to guarantee that it will only use the Personal Data for legitimate / authorized purposes and will keep it secure.
2. In the event that a particular disclosure is necessary to comply with a legal obligation (e.g. for the benefit of a public body, law enforcement or security service, or in connection with legal proceedings), Personal Data may in principle be disclosed provided that this is limited to what is legally required and, if permitted by law, that the Data Subject has been informed of the situation (e.g. the Data Subject has been informed of such a possibility by means of an Informed Consent or at the time of the request for disclosure).
9. How are international transfers of Personal Data from the EU protected?
Personal Data from Asmodee Group entities operating within the EU are not transferred outside the EU to a third country that does not guarantee an adequate level of protection, unless the appropriate safeguards have been implemented in accordance with applicable legislation.
1. The international transfer of Personal Data is an extremely sensitive matter that we take seriously. We pay our full attention before transferring Personal Data from their country of origin belonging to the European Economic Area (hereafter "EEA") to another country outside the EEA, whether such transfer is justified by technical reasons (storage, hosting, technical assistance, maintenance, etc.) or by overriding purposes (Human Resources management, customer database management, etc.).
2. We never carry out international transfers of Personal Data from a EEA country to another non EEA country without ensuring that appropriate transfer mechanisms as required by applicable data protection laws are in place, to ensure adequate protection of the data when transferred (e.g. adequacy decision, signature of EU Commission model clauses as appropriate, etc.). In some cases, we may also have to notify or gain pre-approval from the relevant privacy regulator prior to the transfer taking place
10. How do we handle claims?
1. The Asmodee Group is committed to resolving legitimate issues relating to the protection of Personal Data of its staff, customers and other contacts. In the event that an employee believes that he/she has violated the Policy, he/she should contact the legal department of Asmodee Holding, a Subsidiary of Financière Amuse BidCo, at the following address: firstname.lastname@example.org and report the problem.
2. Data Subjects may lodge a complaint concerning the protection of their Personal Data by writing an e-mail to the legal department of Asmodee Holding at the following address: email@example.com. They may also lodge a complaint with a supervisory authority. In particular, these possibilities are explained in the privacy policies that are accessible or communicated to the Data Subjects.
3. In the event that an individual covered by this Policy files a complaint regarding the Processing of his/her Personal Data or that of a third party and his/her complaint has not been properly resolved through this internal procedure, the Asmodee Group will cooperate with the appropriate data protection authorities and will comply with the opinions of such authorities in resolving the unresolved complaints. In the event that the Data Protection Officer or the data protection authorities decide that the Asmodee Group or one or more members of its staff have not complied with this Policy or with the legislation on the protection of Personal Data, based on the recommendations issued by the said officer or authorities, the Asmodee Group will take appropriate measures to address any negative consequences and promote compliance in the future.
11. Updating this Policy
- As our business and the regulatory environment is constantly evolving, this Policy is subject to change. You are therefore invited to consult it regularly.