Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, also called the General Data Protection Regulation (GDPR), sets out the legal framework for processing personal data. The GDPR upholds the rights and obligations of controllers, processors, data subjects and recipients. We process personal data for the purposes of our business. To properly understand this policy:
Article 12 of the GDPR requires that data subjects be informed of their rights in a concise, transparent, intelligible and easily accessible form.
The purpose of this policy is to meet Incathlab’s information obligation and formalise the rights and obligations of its customers and prospects regarding personal data processing for all of the services provided by Incathlab.
Incathlab makes every effort to ensure that data is processed according to clear internal governance. However, this policy only concerns processing for which Incathlab is responsible and therefore does not pertain to processing deployed or utilised outside Incathlab’s governance rules (stealth IT or shadow IT). Personal data processing can be managed directly by Incathlab or by a service provider specifically chosen by Incathlab. This policy is separate from any other documents which may apply between Incathlab and our customers and prospects.
Incathlab only processes the personal data of our customers and prospects collected by or for our services, or processed in connection with our services, in compliance with the general principles of the GDPR. Incathlab mainly processes your data to organise events and provide products and services. Data may be processed for the following purposes:
This list is meant to be as exhaustive as possible. Customers and prospects will be informed of any new purpose, alteration or removal of existing processing by an amendment to this policy.
The processing purposes listed above are based on the following legal requirements:
Legal basis |
Example |
Precontractual or contractual implementation including via the general terms and conditions of sale |
Registration for an event, purchase order, etc. |
Legitimate interest |
CCTV footage is kept for up to one month, etc. |
Consent |
Newsletter, cookie management, contact requests, satisfaction surveys, sales and news communication, etc. |
Non-technical data (depending on use)
Technical data (depending on use)
Data sources
Our (primary or other) customer or prospect data is generally collected directly from our customers and prospects.
Data can also be collected indirectly through third parties:
In this case, Incathlab will ensure that third parties, organisations or legal entities comply with the GDPR and that data subjects are informed of our personal data protection policy.
Data collected by Incathlab may be shared in whole or in part, depending on the purpose.
Internal recipients
The recipients of customer and prospect personal data at Incathlab are required to respect data confidentiality. Incathlab decides who can have access to what data based on an authorisation policy.
External recipients
Incathlab is not responsible for losses of any kind resulting from illegal access to personal data. Furthermore, personal data may be communicated to any authority legally entitled to receive it. In this case, Incathlab is not responsible for the conditions under which the employees of these authorities access and use the data.
Incathlab defines the data storage period based on applicable legal and contractual requirements or its needs, and based on the following principles:
Processing |
Data storage period |
Data related to customers participating or exhibiting at the event |
The duration of contractual relationships and the event organised by Incathlab, plus 3 years for promotional and prospecting reasons, without prejudice to storage obligations or statutes of limitations |
Data related to the website members and users |
Until they have unsubscribed from the member space and for 1 year after the last session |
Data related to prospects |
3 years from when Incathlab collects their data or the last contact with the prospect |
Technical data |
1 year |
Banking data |
Data is deleted as soon as the transaction is completed, unless otherwise authorised by the customer. If the transaction is contested, data is archived for 13 months following the debit date |
Prevention of money laundering |
5 years |
After expiry of these set periods, data is either erased or stored once it has been anonymised, particularly for statistical purposes. Data may be stored in the event of pre-litigation and litigation. Customers and prospects are advised that data erasure or anonymization is irreversible and that Incathlab will not be able to restore this data.
Customers and prospects have the right to ask Incathlab for confirmation as to whether or not their data is processed. Customers and prospects also have a right of access, provided the following rules are followed:
Customers and prospects have the right to ask Incathlab for a copy of their processed personal data. However, if an additional copy is requested, Incathlab may require that customers and prospects bear the financial cost. If customers and prospects request a copy of their data via email, the information requested will be provided in standard electronic format, unless requested otherwise. Customers and prospects are also informed that their right of access does not apply to confidential information or data, or data which the law prohibits from being communicated. The right of access must not be exercised abusively, meaning on a regular basis for the sole purpose of disturbing the department in question.
Incathlab meets update requests:
The right to erasure of customers and prospects does not apply if data is processed to comply with legal obligations. Apart from this, customers and prospects may request that their data be erased within the following restrictive cases:
In accordance with legislation on personal data protection, customers and prospects are advised that this is an individual right that can only be exercised by the data subject for their own data. For security reasons, the relevant department must therefore verify your identity to prevent your confidential information from being communicated to someone other than yourself.
Customers and prospects are advised that this right is meant to be exercised if data is legally processed by Incathlab and if all the personal data collected is required for the performance of the sales agreement.
Incathlab allows for data portability in the particular case of data communicated by the customers or prospects themselves, for online services provided by Incathlab itself and for purposes needing the sole consent of data subjects. In this case, data will be communicated in a standard structured machine-readable format.
Customers and prospects are advised that they have the right to give instructions on the storage, erasure and communication of their data after death. To exercise their rights and communicate specific post-mortem instructions, they must write to pdo@comnco.com or by post to Incathlab – Data Management, 15 Bd Grawitz, 13016 Marseille, France and include a signed copy of a piece of ID.
All forms used to collect personal data use asterisks to inform customers and prospects whether information is mandatory or optional. If answers are mandatory, Incathlab explains the consequences of not providing an answer to customers and prospects.
Customers and prospects grant Incathlab the right to use and process their personal data for the purposes stated above. However, Incathlab maintains ownership of enriched data produced from Incathlab processing and analysis (usage analysis, statistics, etc.).
Incathlab advises its customers and prospects that it may use any subcontractor of its choice to process their personal data. In this case, Incathlab will ensure that the subcontractor complies with its GDPR obligations. Incathlab will sign a written agreement with all its subcontractors and require that they comply with the same data protection obligations as Incathlab. Incathlab also reserves the right to audit its subcontractors in order to ensure that they comply with the GDPR.
Incathlab is responsible for defining and implementing physical or logical security technical measures that it deems appropriate to prevent the unauthorised accidental or illegal destruction, loss, alteration or disclosure of data. These measures mainly include:
Incathlab may hire any third party of its choice to do this. If all or part of personal data processing is subcontracted, Incathlab will contractually require that its subcontractors provide security guarantees through technical data protection measures and suitable human resources.
In the event of a personal data breach, Incathlab will notify the CNIL as required by the GDPR. If the breach entails a high risk for customers and prospects, and their data was not protected, Incathlab will:
As the controller, Incathlab will keep an updated record of all processing activities. This record is a document or application detailing all processing carried out by Incathlab as the controller. At first request, Incathlab will provide the supervisory authority with information enabling the authority to verify that processing complies with IT regulations and civil liberties in force.
Customers and prospects whose personal data is processed are advised of their right to submit a complaint to the supervisory authority, which is the CNIL in France, if they feel that their personal data is not being processed in compliance with European regulations on data protection, by writing to the following address: CNIL – Service des plaintes 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07, FRANCE Tel: +33(0)1 53 73 22 22
This policy may be changed or amended at any time in the event of changes to legislation, case law, CNIL decisions and recommendation or uses. Customers and prospects will be informed of any new versions of this policy by any means chosen by Incathlab, including electronically (e.g. via email or online).
These Terms of Use are governed by French Law. Any disputes relating to the interpretation and performance of these terms will be brought before the competent French courts.
In accordance with French Act no. 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties, you have the right to access and rectify your personal data. You may receive information about our business. If you do not wish to receive information, please contact us and include the name of your business, your name and address. You can also do this to stop receiving sales offers.
For more information, please contact pdo@comnco.com. For more general information on personal data protection, please consult the CNIL website at www.cnil.fr