Personal data protection policy

1. Context and legal context

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, known as the General Data Protection Regulation (GDPR), sets out the legal framework applicable to the processing of personal data.

As part of this, we present the procedures for complying with this regulation, in accordance with its requirements. UNIRESI does indeed manage personal data in the course of its business. This activity mainly involves helping students or their relatives to find accommodation (student residences, coliving, etc.).

2. Elements relating to our application of the regulations

The information relating to the management of personal data, in accordance with the regulations, is as follows:

• Details of the data controller: UNIRESI
• The purposes of the data processing:
  • Gathering requests for help in choosing student residences via our websites or prescribers.
  • Assist our contacts in their search for student residences or student accommodation solutions.
  • Passing on these requests to the residences most likely to meet the needs of these contacts, so that we can help them make their choice.
  • Monitor the progress of these requests with the residences.
  • Carry out satisfaction surveys on the solutions proposed.
• Origin of the data :
  • Request made by a family or group leader on a website
  • Request made by a family or group leader by telephone
  • Request received from a group leader in writing
  • Telephone conversation and exchange of emails / sms / WA with families / partners
• The type of data processed by these operations:
  • identification data: surname, first name of the student and contact person, telephone number, email address, etc.
  • financial data: budget
  • data relating to preferences: criteria for choosing a residence (location, services offered, etc.)
• Recipients of this data: The student residences / coliving centres best able to meet the needs of these contacts.
• How long personal data is kept: 5 years
• Other rights of the individual: The regulations require that individuals be informed of their rights, which is the main purpose of this text (explanation above and below).

3. General principles governing the collection and processing of personal data

UNIRESI makes every effort to comply with regulations when collecting and processing personal data:

• Both internally and externally, with our partners (student residences, coliving, etc.)
• at both IT and organisational levels (protection of servers and IT databases, management of internal procedures, management of authorisations, information for individuals, etc.).

4. Rights of individuals

Clients and contacts have the right to request UNIRESI to respect their rights with regard to data concerning them. These rights include the following:

• Consent / Withdrawal of consent
• Right of access
• Right to modification
• Right to be forgotten
• Right to limit processing

These rights are subject to compliance with the following rules:

• The request must be made by the individual him/herself and accompanied by
  • a copy of an up-to-date identity document,
  • or is sent from the email address indicated in the request for assistance.
• The request must be made in writing to the following address: UNIRESI - Retraite Plus, 14 Quai de la Marne 75019 Paris or to the following e-mail address: donnees-personnelles@retraiteplus.fr
• The request must precisely explain the exact purpose of the request to exercise its rights, in accordance with the GDPR regulations.

In accordance with legislation on the protection of personal data, customers and contacts are informed that this is an individual right that can only be exercised by the person concerned in relation to their own information: for security reasons, the department concerned will therefore need to verify your identity in order to avoid any communication of confidential information about you to anyone other than you.

Clients and contacts have the right to request a copy of their personal data being processed from UNIRESI. However, in the event of a request for an additional copy, UNIRESI may require clients and contacts to bear the cost thereof.

If clients and contacts submit their request for a copy of the data electronically, the information requested will be provided in a commonly used electronic form, unless otherwise requested.

Customers and contacts are informed that this right of access may not relate to information or data that is confidential or for which communication is not authorised by law.
The right of access must not be exercised in an abusive manner, i.e. on a regular basis with the sole aim of destabilising the service concerned.

Important note on “Consent”

When a person provides information (surname, first name, telephone number, e-mail address, location of search, urgency, etc.) on one of our websites, by e-mail or otherwise, to enable UNIRESI to assist him/her in the search for establishments and to call him/her back, he/she is explicitly giving his/her consent to the processing of the personal data he/she has provided and to that which he/she will subsequently communicate to our advisers or to any other UNIRESI employee during telephone conversations and exchanges of computer or telephone data (e-mail, sms, WA, etc.).

Any person has the right, at any time, to request the withdrawal of his or her consent to the processing of his or her personal data, in accordance with the regulations. UNIRESI undertakes to comply strictly with this right as soon as possible.

5. Subcontracting

UNIRESI informs its clients and contacts that it may involve any subcontractor of its choice in the processing of their personal data.

In this case, UNIRESI shall ensure that the subcontractor complies with its obligations under the GDPR, whether or not it is located within or outside the European Union.

UNIRESI undertakes to sign a written contract with all its subcontractors and imposes the same data protection obligations on subcontractors as it does itself. In addition, UNIRESI reserves the right to audit its subcontractors in order to ensure compliance with the provisions of the GDPR.

6. Security

UNIRESI defines and implements the physical or logical technical security measures that it deems appropriate to prevent the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of data.

These measures mainly include :

• Information systems security policy
• Management of identifications and authorisations for data access
• Back-up and archiving measures
• Disaster recovery measures
• Security audits

7. Data breach

In the event of a breach of personal data, UNIRESI undertakes to notify the CNIL in accordance with the conditions prescribed by the GDPR.

If such a breach gives rise to a high risk for clients and contacts and the data has not been protected, UNIRESI :

• notify the clients and contacts concerned
• provide the clients and contacts concerned with the necessary information and recommendations.

8. DPO - Data Protection Officer

UNIRESI has appointed a Data Protection Officer.
The contact details for the Data Protection Officer are as follows:

Alain Boublil
UNIRESI - Retraite Plus
14, Quai de la Marne 75019 Paris
Email: donnees-personnelles@retraiteplus.fr
Tel: 0800941340

In the event of any new processing of personal data, UNIRESI will first refer the matter to the Data Protection Officer.

If clients and contacts wish to obtain specific information or ask a specific question, they may refer the matter to the Data Protection Officer, who will provide a response within a reasonable period of time in relation to the question asked or the information required.
In the event of a problem with the processing of personal data, customers and contacts may contact the designated Data Protection Officer.

9. Register of processing and Impact Assessment

UNIRESI , as data controller, undertakes to keep an up-to-date register of all processing activities carried out.

This register is a document or application making it possible to list all processing carried out by UNIRESI , as data controller.

UNIRESI also undertakes to prepare an Impact Analysis of the risks relating to personal data.

UNIRESI undertakes to provide the supervisory authority, upon first request, with the information enabling the said authority to verify that the processing complies with the data protection regulations in force.

10. Right to lodge a complaint with the CNIL

Customers and contacts concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the CNIL in France, if they consider that the processing of their personal data does not comply with European data protection regulations, at the following address:

• CNIL - Complaints Department
• 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07