Data Protection Policy

Personal Data Protection Policy

1 - Our GPDR Commitments

1.1 – Compliance

LSTI collects personal data in compliance with the rules set out, on the one hand, by the international standards related to compliance certification, in particular the ISO/IEC 17024 standard – « General requirements for bodies operating certification of persons » the rules issued by the ANSSI for the evaluation of PASSI auditors, PRIS analysts and other experts, and the requirements of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) .

Through this policy, we wish to present, in a concise, clear, transparent and easily accessible format, the processing of personal data that we carry out as part of our services.

LSTI’s personal data protection strategy is integrated and aligned with that of the Group to which it is affiliated: Apave. This strategy is based on the audit of the privacy management system conducted and the requirements imposed by the Information Systems Department (DSI). This strategy aims to ensure the Group’s compliance with data protection laws worldwide and to integrate a security culture in line with our risk management values.

Consequently, the general principles of our actions are based on the Privacy Management System, organized into 14 key areas :

Governance;
Awareness and training
Data mapping
Sharing, transfer and disclosure
Information and the rights of data subjects
L’information et le droit des personnes concernées
Privacy by design and by default
Accountability
Data breach management and incident response
Legal
Technical and organizational security measures
Management of audits and compliance checks
Relationship and control with authorities
Continuity and improvement

1.2 – Definitions

Personal data

Personal data is « any information relating to an identified or identifiable natural person ». A natural person can be identified directly (via their name, first name) or indirectly (via their identifier).

Processing of personal data

The processing of personal data is « an operation, or set of operations, involving personal data, whatever the process used (collection, recording, organization, storage, adaptation, modification, extraction, consultation, use, communication by transmission or dissemination or any other form of making available, merging) ». The processing can be computerized or paper-based.

Data Protection Officer

The Data Protection Officer (hereinafter « DPO ») is « responsible for implementing compliance with the European Data Protection Regulation within the organization that appointed him/her with regard to all processing implemented by that organization ». LSTI has appointed a Data Protection Officer whose contact details are as follows:

Email: dpo@apave.com
By post: 6 Rue du général Audran, 92400 Courbevoie, France

2 - Our GDPR Compliance

2.1 – Governance

LSTI’s privacy management system is supervised by the DPO attached to the General Secretariat of the Apave Group. The DPO coordinates compliance in each entity of the Group with the help of DPO Correspondents for each legal entity and delegates of Apave.
The DPO Correspondents are appointed by each General Manager and actively participate in the compliance of their reporting entity through the Privacy Management System and the monitoring of action plans.

The DPO Correspondents liaise with the Group’s DPO to ensure the strategic alignment and effectiveness of the global implementation of data and privacy protection compliance.

2.2 – Awareness and training plan

Awareness and training for all LSTI employees is managed at the Apave Group level and is a key element of the Privacy Management System.

Each year, an awareness and training plan is developed around these objectives:

Improving knowledge to reduce risks and apply best practices
Developing a security culture
Compliance with personal data protection obligations

To this end, various means of communication are used to have a real multi-channel impact: e-learning training for employees and managers, phishing simulation campaigns, intranet communication, small group awareness, etc. These communications, which may have a national or international scope, highlight the possible risks to the LSTI Information System. They also provide information on solutions to remedy these risks in the event of an incident, but above all on simple methodologies to apply to ensure the protection of personal data.

3

3.1 – Nature of processing

The processing of personal data that we carry out includes a wide range of operations, including: collection, recording, organization, structuring, storage, adaptation or modification, extraction, use, limitation, erasure or destruction.

The data subjects concerned by these processing operations are Customers, their
employees and the Customers of our Customers.

We are committed to collecting and using only the personal data that is strictly necessary and relevant to the purposes of our processing.

We implement control procedures to ensure this and regularly adapt our services to minimize data collection.

3.2 – Purposes and legal bases of processing

Each processing of personal data that we implement is based on a specific, legitimate and explicit purpose, as well as on a legal basis in accordance with the regulations in force (GDPR).

We collect personal data directly from you, your employer or a duly authorized person, for the following purposes:

Execution of the contract or general conditions : monitoring of the certification contract, preparation and delivery of certification training, evaluation, quality control, certification assessment, communication of observations, delivery of the certification certificate.
Legal and regulatory obligations : compliance with the legal and regulatory obligations to which we are subject.
Consent : carrying out specific purposes after obtaining your explicit and positive consent.
Legitimate interests : personalization of our offers according to your needs, security of our information system.

3.3 – Details of processing and data collected

We are committed to collecting and using only the personal data strictly necessary for the administrative management, organization and execution of the certification.

a) Processing of data relating to registration for an exam :

We keep personal data for the duration of the certification’s validity (3 years).

On our website: candidates consent to provide us with the following personal data: last name, first name, email address, telephone number, information shared voluntarily, cookies, economic and financial data.
Through a training organization: we collect the following data: candidate’s last name, first name, email address, job title, signature, additional time required to take the exam, history of certifications already obtained.
Through the candidate’s company (assessment of skills on ANSSI repositories): the company provides us with the last name, first name, date and place of birth, CV, diplomas, as well as the employer’s certificate. Candidates also provide their signature and email address.
Through the candidate’s company (skills certification): we collect the following data: candidate’s last name, first name, email address, job title, signature, additional time required to take the exam, history of certifications already obtained.

b) Processing of data relating to taking the exam :

We keep personal data for the duration of the certification’s validity (3 years).

Identity verification: we consult the identity documents that candidates present to verify their identity before the exam. The data is consulted by our external or internal evaluators.
Online exams : we collect the last name, first name, login data, surveillance images and videos, as well as the candidate’s evaluation via our Tixeo tool.
In-person exams : we collect the candidate’s last name, first name and evaluation.
Issuance of certification : we use the personal data generated following the certification: date of issuance of the certificate, evaluation, certification. The identity of the certified candidate may be published on the LSTI website under a COFRAC obligation.

c) Data processing for customer relationship and business management

We keep personal data for the duration of the contract, as well as 2 years from the end of the contract.

We use your contact data (last name, first name, professional contact details, job titles) to ensure the monitoring and management of the contract and the services related to it. This also allows us to plan interventions and prepare reporting elements, if necessary.

We also store your consents to receive information (for example, for the news to which you subscribe), as well as your withdrawals of consent to processing and opposition to commercial prospecting actions).

d) External recruitment

As part of our external recruitment process via our website, we collect and process the personal data that you provide to us voluntarily. This data includes:

Identification data: Last name, first name, email address, telephone number, etc.
Data relating to your professional life: Curriculum vitae, cover letter, diplomas, professional experience, skills, etc.

The collection of this information is necessary to evaluate your application and offer you job offers corresponding to your profile. We keep your personal data for a period of two years from your application, in order to be able to contact you again for potential opportunities. At the end of this period, your data will be deleted, unless you authorize us to keep it for an additional period.

3.4 – Recipients of personal data

The personal data we collect is intended for the internal LSTI departments responsible for carrying out the services.

We ensure that only authorized persons, within the scope of their duties, have access to the data, either temporarily or permanently.

We may be required to share personal data to comply with legal, regulatory or administrative obligations, or to detect, prevent or address fraudulent activities, security breaches or technical problems.

LSTI employees authorized to access personal data are subject to an obligation of confidentiality, in particular through their employment contract, the IT Charter and the internal regulations.

We also transmit data to trusted third parties who process it on our behalf, according to our instructions, in accordance with the GDPR and in compliance with all appropriate security and confidentiality measures.

In particular, we use:

service providers to ensure data backup and hosting;
external evaluators authorized by LSTI;
service providers to ensure the taking of online exams;

The updated list of recipients is available on request.

3.5 Data transfers outside the EU

All personal data processed by LSTI and its subcontractors is hosted in France or the European Union.

Depending on the services and the location of the customer, data may be transferred outside the European Union.

In the event that LSTI is required to transfer personal data to a third country or an international organization, under Union law or the law of the Member State to which it is subject, it will inform the Client or the data subject of this legal obligation before each transfer, unless the law concerned prohibits such information for important reasons of public interest.

3.6 Privacy by design and by default

The Apave Group’s project methodology includes in its processes an initial summary analysis of the impacts relating to data protection for any new project.

This first step ensures our accountability. In line with the notion of accountability presented by the GDPR, the Apave Group is committed, beyond its compliance, to being able to prove this compliance as well as the implementation of the processes necessary for the control of personal data.

This involves the application of two key principles:

Data protection from the design of the project (privacy by design)
Data protection taken into account by default (privacy by default)

Where applicable, a data protection impact assessment (DPIA) is carried out in more detail. This analysis will make it possible to build a processing operation that complies with the GDPR and respects privacy. The use of this type of risk analysis is only done when a processing operation is likely to create a high risk to the rights of your data as well as to the freedoms of the data subjects, taking into account the nature, scope, context and purposes of the processing.

4 - Rights of Data Subjects

The persons concerned by the processing of their personal data carried out by LSTI have rights in order to maintain control of their data. As such, we are committed to respecting:

A right to information on the processing of data in a clear, fair and transparent manner;
A right of access to the data transmitted: the data subject can obtain from LSTI, confirmation that his/her data is being processed or not, the purposes of the processing, the recipient of the data, the possible transfer of the data as well as a copy of the said data
A right to rectification of inaccurate or incomplete data: the data subject can obtain from us the rectification of his/her data if it turns out to be erroneous or inaccurate;
A right to object to certain processing, in particular those for the purpose of commercial prospecting;
A right to withdraw consent to data processing, without the effects of this withdrawal being retroactive;
A right to erasure of data that is the subject of unlawful processing: the data subject has a right to be forgotten, only when the processing of his/her data does not concern the execution of the contract and that the said contract has been terminated;
A right to portability allowing to receive in a usable format the data provided in order to transmit it to another service provider. Data portability only applies to data concerning the person, to data transmitted directly, and only if the processing is based on consent or contract;
A right to restriction of processing;
A right to give instructions relating to the storage, erasure and communication of data after death.

To exercise these rights, simply contact our DPO:

By using the following form;
At the address: dpo@apave.com, or by mail to the attention of the DPO at the following address: APAVE, 6 Rue du Général Audran, 92400 Courbevoie.

It is also possible to lodge a complaint with a Data Protection Supervisory Authority, in France, this is the CNIL.

5 - Technical and Organizational Security Measures

We implement the necessary and appropriate organizational and technical security measures against any unauthorized access, modification, disclosure, or destruction of the data we store. The Information System Security Policy (ISSP) can be provided to obtain more details on these measures. The purpose of the ISSP is to define the fundamentals of the Apave Group’s Information Security, in order to preserve the confidentiality, integrity, and availability of the Information assets (personal data, data of our customers & partners, operational and strategic data, etc.), with the constant motivation of maintaining a quality and secure service for our customers.

These measures notably include the following:

We only collect the data necessary for the determined, explicit, and legitimate purposes declared.
Regarding the employees, subcontractors, service providers, and contacts of LSTI who need to access personal data to exercise their roles, functions, and responsibilities:
- They are authorized and have strictly reserved access;
- They are made aware and/or trained, according to their roles, functions, and responsibilities;
- They have signed a confidentiality agreement and have been informed of the risks and penalties in the event of a breach of this obligation.
We encrypt data when necessary.

In the event of a personal data breach concerning the data subject, likely to create a risk to their rights and freedoms, our DPO notifies the CNIL as soon as possible, and, if possible, no later than 72 hours after becoming aware of it. LSTI will also inform the data subject as soon as possible, in accordance with the provisions of Article 34 of the GDPR.