Protection of personal data

Introduction

Regulation n°2016/679 named "General Data Protection Regulation (GDPR or RGPD)" constitutes the new European legal framework for the processing of personal data in Europe. It has been applicable since May 25, 2018. Replacing the Data Protection Directive adopted in 1995, the GDPR is directly applicable in the Union and does not require national transposition laws. As such, it imposes a single, harmonized framework of legal regimes for personal data protection on all member states. The RGPD also has an extraterritorial framework that allows, under certain conditions, its scope of application to be extended outside the EU.
A structure that processes personal data as a data controller or on behalf of, on the instructions of and under the authority of a data controller, and which has access to the data, thus has separate obligations in its capacity as processor or data controller. Magic Online, as a provider of IT services (hosting, maintenance) is directly concerned.

Definitions

In order to make it easier to understand the application of the many articles and directives, the following terms should be clearly defined: Personal data: "Personal data means any information relating to an identified natural person or a natural person who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to that person..." (article 2). For example, a person is identified when his or her name or e-mail address appears in a file. Processing: any operation or set of operations concerning such data, irrespective of the process used, and in particular collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, as well as blocking, erasure or destruction. Data controller : The person responsible for processing personal data is the person, public authority, service or organization that determines the purposes and means of the processing, unless expressly designated by the legal or regulatory provisions governing the processing. Processor: the natural or legal person, public authority, department or other body that processes personal data on behalf of, on the instructions of and under the authority of the controller. It is essential to distinguish between the security of data hosted by the customer and the security of the infrastructures on which this information is stored:
  1. With regard to the security of customer-hosted data: you are solely responsible for ensuring the security of the resources and application systems you deploy, in compliance with our general terms and conditions of use.
  2. With regard to the security of our infrastructures: we are committed to maximum security for our infrastructures:
    • Implementation of a PSSI (information systems security policy)
    • Standards and certifications (e.g. ISO 27001:2005, etc.). Details of standards and certifications by DC are available on the Magic Online Group's showcase sites or on request from our customers to our support and assistance department).

Magic Online as a subcontractor

Magic Online offers hosting facilities on which our customers can store their personal data. In this case, the customer is the data controller and we act as a subcontractor, according to your instructions and under your authority.
It is within this relational framework that we commit ourselves to :

  • Establish and apply standards designed to guarantee the security of your data to the highest standards of the technology we deploy.
  • Inform you and obtain your consent if we use a subcontractor.
  • Inform you as quickly as possible if your data is breached.
  • Not to transfer your personal data outside the European Union or to a country not recognized by the European Commission as offering an adequate level of protection, with the exception of our own companies based in Tunisia and Morocco, which are themselves subject to Standard Contractual Clauses (SCC 2010/87/EU) adopted by the European Commission. The STCs provide a framework for the transfer of personal data outside the European Union. They therefore offer a sufficient level of protection.
  • To help you comply with your regulatory obligations as a Data Controller, by providing you with the relevant documents relating to our services.

It is understood that :

  • The data hosted by the customer as part of our services remains the property of the customer. It goes without saying that we firmly exclude any resale of this data to third parties whatsoever.
  • Magic Online may need to access your data:
    • As part of legal obligations following judicial and/or administrative requests.
    • In order to ensure the smooth running of services, for example in the event of a customer request for assistance from our support department, or as part of certain outsourcing contracts. In such cases, access to personal data is subject to specific accreditation and authorization by the customer. In order to process support requests, our support technicians may need to know information provided by the customer (such as name, e-mail address, telephone number, etc.) when creating a Magic Online customer account.
  • Magic Online reserves the right to entrust support services that may involve remote access to data stored by the customer, as part of the services, to other entities of the Magic Online Group located in countries not recognized by the European Commission as having an adequate level of protection but, as mentioned above, these entities are subject to SCCs (Standard Contractual Clauses) and thus offer an adequate level of protection in the eyes of the European Commission.
  • Concerning transfers not subject to TCCs (e.g. certain subcontractors): Thanks to the guarantees offered by Magic online with regard to data transfers, customers can comply with their regulatory obligations. Article 45 of the GDPR, determining the cases of "transfers based on an adequacy decision", in fact stipulates that a transfer of personal data to a third country or to an international organization may take place when the Commission has found by way of decision that the third country, a territory or one or more specified sectors in that third country, or the international organization in question ensures an adequate level of protection. No specific authorization is required for such transfers.
  • Some of our services allow customers to host their data with Magic Online. The geographical location of the datacenter(s) where data may be hosted can be found on the Magic Online Group websites. Customers can also make a request directly to the support & assistance department. All these datacenters are located in France.
  • The data centers where customer-selected service data is stored are all located in one or more EU countries. The European Commission therefore rightly considers them to offer a sufficient level of protection.

Magic Online as data controller

Magic Online is the data controller when it determines the purposes and means of its personal data processing.
This is the case when we collect data to manage customer identity, orders, invoicing, collections, operate services, improve service quality and performance, commercial canvassing, commercial management, send newsletters, manage requests relating to personal rights, store customer data... .
Of course, this does not apply to the data you store on our infrastructures. On the other hand, certain information concerning you or your employees (e.g. the identity and contact details of the Magic Online contact in the event of a technical support request) may be.

That's why we'd like to give you a better understanding of the safeguards in place to protect your personal data.

  • In the first place, we limit the collection of data to the strict minimum necessary: for example, when you create an account during an order process, you only provide the data necessary for Magic Online to provide billing and support services or to comply with its own legal obligations in terms of data retention (such as law no. 2004-575 of June 21, 2004 on confidence in the digital economy).
  • We undertake not to use the data collected for purposes other than those for which it was collected.
  • We undertake to retain personal data for a limited period of time, proportionate to the purposes for which it is to be used. For example, customer/Magic Online relationship management data (surname, first name, postal address, e-mail address, etc.) is kept by the company for the duration of the contract and the following sixty (60) months. At the end of this period, they are deleted on all media and backups.
  • You have a right of access, data portability, rectification, deletion and limitation of your data, the right to object to the processing of your data and, in the case of processing based on consent, the right to withdraw your consent. You can exercise your rights at any time by contacting the Data Controller Sophie Mazouz at the following address: protectiondesdonnees@magic.fr
  • You have the right to lodge a complaint with the Commission Nationale Informatique et Libertés (Cnil).
  • If you do not want us to collect your personal data, we will not be able to provide you with all our services, including technical, administrative and commercial support.
  • We undertake not to transfer such data to third parties other than Magic Online affiliates involved in the performance of the contract. As part of these intra-Group transfers, certain data may be transferred outside the European Union on the basis of the Standard Contractual Clauses (SCC 2010/87/EU) implemented by the Magic Online Group.
  • We are committed to the concrete implementation of appropriate technical and organizational measures to guarantee you a level of security that is appropriate and compliant with regulations.