ORSYS - Personal Data Protection Policy

Last updated: January 8, 2024

The ORSYS group (ORSYS Formation, ORSYS Institut, ORSYS Belgium, ORSYS Luxembourg, ORSYS Switzerland, ORSYS Spain, ITTCert) is committed to protecting the personal data of its clients. It undertakes to ensure the highest level of protection in compliance with the European regulation applicable to the protection of personal data.

What are our principles regarding the processing of personal data?

In accordance with current regulations, the processing of your personal data carried out by ORSYS is based on the following principles: • The data collected is proportional to the purposes of the processing. • The purposes of each processing are determined, explicit, and legitimate. • The processing is lawful, fair, and transparent. • The collected data are subject to security measures, both organizational and technical.

Who is responsible for the processing of my personal data?

The data controller is the company that defines for what purpose and how your personal data are used. For personal data collected on our websites and mobile applications, or during contacts with our sales teams (needs assessments, orders, file follow-ups, etc.), the data controller is: ORSYS 1 Parvis de la Défense, La Grande Arche Paroi Nord 92044 PARIS LA DEFENSE CEDEX RC Nanterre: 482 761 160

Why does ORSYS collect my personal data?

ORSYS mainly uses your personal data for the following purposes:

• Management of training orders and customer relations, effective implementation of training sessions. The vast majority of our clients are private companies and public organizations, and sometimes individuals. We need information about you for the management of professional training orders placed by your employer, or by yourself, and the follow-up thereof. For example: registration for an inter-company, intra-company training session or an e-learning session; sending of your convocations or your connection identifiers to our LMS platform (Learning Management System); welcome in our training centers and rooms; performance of the training service and follow-up of the training periods completed; evaluation of knowledge; customer relationship management such as conducting satisfaction surveys; handling complaints and after-sales service.

• Personalization of our services and the messages we address to you. The data concerning you allows us to improve the services we offer you and the communications we address to you. For example: we can send you personalized emails or recommend training courses that meet your professional needs.

• Customer knowledge, statistics, and performance of our site. We may use anonymous data to analyze the activity of our site and improve the services we offer. We measure, for example, the number of pages viewed, the number of visits to the site, as well as the activity of visitors and their frequency of return. We may use the data concerning you to establish internal statistics related to your commercial relationship with ORSYS.

What personal data is collected about me?

What data? Regarding our clients, training prescribers (contacts from the training department, human resources department, buyers, directors, and operational managers), the personal data collected and processed mainly consist of names, first names, and professional contact details (company, position, postal address, email address, telephone number), some connection data, order history, and any other information communicated spontaneously if its content is relevant and proportional to the purpose of the processing.

Regarding participants in ORSYS training sessions, personal data is collected either from the employer or from the participant himself/herself during registration. This mainly includes the name, first name, professional contact details (employer's name, profession, postal address, email address, telephone number), some connection data, evaluations of the training courses attended, self-assessments on the acquisition of knowledge, and any other information communicated spontaneously if its content is relevant and proportional to the purpose of the processing.

The collection of participant data from the employer responds to the legal obligation of employers to provide training for their employees. The collection of data from the participant himself/herself responds to the legal obligation referred to in the preceding paragraph or to the execution of a professional training action as provided for in Article L 6313-1 of the Labor Code. The data collected are then necessary for the implementation of the action. Where applicable, in accordance with Article D 5211-3 of the Labor Code, ORSYS may collect information on any disability situations in order to anticipate the necessary adaptations to the conduct of the training. This information is only kept until the end of the training. They are then removed from our systems, and we keep no trace of them.

When? We collect the information you provide us, notably when: For training prescribers (contacts from the training department, human resources department, buyers, directors, and operational managers…):

• You request the creation of a professional client account.

• You place an order on one of our websites or with our sales teams (email or web forms).

For people attending an ORSYS training:

• You use a MyOrsys account to access the educational resources of a training course you have attended.

• You evaluate a training course you have attended.

• You browse our websites and consult our training products.

• You contact our Customer Service.

For everyone:

• You submit an information request.

• You send us a registration request for one of our free events. During online collection, the mandatory or optional nature of the data is indicated to you by an asterisk.

ORSYS may also collect prospect data:

• As part of purchasing data via external partner databases, in compliance with the GDPR.

• As part of professional events (trade shows and webinars): the collected data include names, first names, and professional contact details (company, position, postal address, email address, telephone number). In both cases, an acknowledgment email is sent to the collected email address, to inform about our approach and offer an immediate possibility of opposition.

• As part of subscribing to our "blog" content: our prospects can request to receive our commercial emails, according to the training themes that interest them. They are then invited to provide their professional email address and simply select the content categories they wish to subscribe to.

What communications am I likely to receive?

• Service Emails Following an order or as part of contract management, you will receive emails to allow you to track your order or the execution of your contract (order confirmations, organization of training sessions, retrieval of administrative documents, etc.). These service messages are necessary for the proper execution of the orders and services you have requested. Receiving this information is not linked to the choices you will have expressed for receiving communications for commercial purposes.

• Commercial Emails and Newsletters : As a customer, if you have not objected, or as a prospect (trade show, webinar, blog, etc.), you may receive information and offers from ORSYS by email. These messages keep you informed about ORSYS's news, the evolution of its training offer, session availability, and events (presence at trade shows, conferences, or webinars). We systematically measure the open rate and click-through rate of these emails to adapt them as closely as possible to your needs.

• Postal Mailings If you have not objected, you may receive offers and information by mail, such as our general or thematic catalogs. What is the legal basis and duration for the processing of my personal data? The processing of your personal data is justified by various legal bases

On what legal basis and for what durations are my personal data processed?

The processing of your personal data is justified by various legal bases depending on the use we make of the personal data. Below you will find the legal bases and retention periods that we apply to our main processing activities.

Legal bases of the processing Among the applicable legal bases:

• Contract: the processing of personal data is necessary for the performance of the contract to which you have consented.

• Consent: you agree to the processing of your personal data through express consent (checkbox, email contact, or telephone contact with your ORSYS sales representative). You can withdraw this consent at any time.

• Legitimate interest: ORSYS has a commercial interest in processing your data that is justified, balanced, and does not infringe on your privacy. Except in exceptional cases, you can oppose a processing based on legitimate interest at any time by notifying ORSYS.

• Legal obligation: the processing of your personal data is mandatory by law.

Retention periods : Most data (information from your customer account, order history, etc.) are retained as long as you are an "active" customer and for a period of 5 years from your last activity. Your data is then archived with restricted access for an additional period for limited and legally authorized reasons (payment, requests for old documents such as a training certificate or diploma, etc.). After this period, they are deleted.

Purpose of processing

Legal basis

Retention period in operational database

Archiving

Helpful observations

Management of registrations for training or associated services

Contract

duration of the contract

5 years from the end of the contract

A customer is considered active, for example, when they register for a training session for one of their employees or themselves, attend a training, meet one of our sales representatives, or log into their account.

Management of prerequisite tests

Legitimate Interest

duration of the evaluation

5 years from the date of evaluation

Evaluation of candidates to determine if they have the necessary prerequisites to follow the training

Website management

Legitimate Interest

duration of processing the request

Use of the Espace Pro account (for prescribing agents) or MyOrsys (for participants)

Contract

5 years from the last activity

5 to 10 years

A prescribing client is active, for example, when they make a purchase, retrieve administrative documents, or log into their Espace Pro account.

Management of prospect clients

Legitimate Interest

3 years from the last activity

5 years from the end of the contract

As part of managing your customer account, you may receive ORSYS paper or electronic communications regarding its products or services. You can oppose this at any time.

Sending B2B emails (electronic commercial prospecting) by ORSYS

Legitimate Interest

3 years from the last activity

N/A

As part of managing your customer account, you may receive ORSYS electronic communications regarding its products or services. You can oppose this from the creation of the account and at any time.

Sending B2C emails (electronic commercial prospecting) by ORSYS

Consent

3 years from the last activity

N/A

As part of managing your customer account, you may receive ORSYS electronic communications regarding its products or services. You can withdraw your consent at any time.

Sharing of data within the ORSYS group for customer knowledge

Legitimate Interest

5 years from the last activity

5 to 10 years

You can at any time express your opposition to the sharing of information within the ORSYS group by postal or electronic mail.

What measures are taken to secure my data?

ORSYS takes technical and organizational measures to prevent unauthorized access or disclosure of data: • Access to our premises and IT environments is secure. • Access, sharing, and transfer of data are secure. • Our employees who access personal data are trained in confidentiality requirements. Who are the recipients of my data? Transmission of data to subcontractors The data we collect may be transmitted to subcontractors ORSYS uses for the realization of its training courses for the purposes mentioned above, mainly in the context of the effective implementation of face-to-face or distance learning courses. Sharing of data within the ORSYS group Data concerning you may also be transmitted to other subsidiary companies of the ORSYS group for study and customer knowledge purposes. To know the up-to-date list of group entities likely to receive your data, you can make the request. Sharing of data with third parties ORSYS only shares your data with providers necessary for the realization of its training courses. How can I express my choices regarding the use of my data? You can at any time withdraw your consent or object to the use of your data: • By email to rgpd@orsys.com. • By mail to the address: ORSYS, Personal Data Processing, 1 Parvis de la Défense, La Grande Arche, Paroi Nord, 92044 Paris La Défense. • If you have an account, online in your Espace Pro (for training prescribers) or in your MyOrsys (for participants in our courses). All our advertising emails contain an unsubscribe link, allowing you to express your opposition to the use of your email address at any time.

What are my rights regarding the use of personal data?

According to the regulations on the protection of personal data, you can exercise your rights (access, rectification, deletion, opposition, limitation, and portability where applicable) by writing to rgpd@orsys.com or by mail to ORSYS, Personal Data Processing, 1 Parvis de la Défense, La Grande Arche, Paroi Nord, 92044 Paris La Défense. To enable us to respond promptly, please provide your name(s)/surname(s), company, professional email address used in your relationship with ORSYS, and the desired modification. Some requests to exercise your rights (right of access) must be accompanied by a photocopy of an identity document bearing your signature to verify your identity and specify the address to which the response should be sent. A response will be addressed to you within one month following the receipt of the request.

You also have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL), notably via its website www.cnil.fr.

ORSYS has a Data Protection Officer (DPO) responsible for ensuring the protection of personal data. You can contact ORSYS's DPO at the address dpo@orsys.com (excluding the exercise of your rights, which is primarily carried out at rgpd@orsys.com).

Are my data transferred outside the European Union? Your data collected in the context of your business relationship with ORSYS are not transferred outside the European Union.

What about the personal data of minors? ORSYS services are not intended for minors; consequently, ORSYS does not process data specifically concerning minors.

What types of cookies are used?

We use cookies or similar technologies to improve your browsing experience or offer you personalized advertising content. To manage these cookies, we rely on a trusted third party, Axeptio, which manages the collection and storage of your consents. Our customers and prospects manage their consents independently, via a window accessible at the bottom of each of our website pages: they can accept or refuse each of the types of cookies below, as they wish and at any time.

Types of cookies used:

• Cookies for accessing statistics or browsing behaviors on our websites (Google Analytics, Hotjar...)

• Cookies for measuring the effectiveness of sponsored campaigns (Google Ads, Bing, Facebook, Twitter, Instagram...)

• Cookies for identifying visitors from our advertising emails (Dialog Insight)