PRIVACY AND DATA PROTECTION POLICY "NEO Cyber Camp"
PREAMBLE
This privacy and data protection policy (the “Policy”) was adopted by a decision dated January 14, 2025 of the company Neo Cyber Camp, registered under the number SIREN 984722884 with the Paris RCS, having its registered office and management address at 231 rue Saint-Honoré, 75001 PARIS, represented by Mr. Maximilien VOHNOUT, company owner of the website https://www.neocc.co/ and the NEO Cyber Camp platform available from said website (the “Platform”), (hereinafter referred to as the “Company”). The Policy aims to comply with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (the “Regulation”), as well as the obligations to:
- ensure the security of personal data processed, including protection against unlawful processing of personal data, protection against possible loss, destruction or damage of personal data ;
- provide the personal data processor with appropriate technical and organizational measures.
In the course of its business, the Company may process the personal data of Users of this website and/or the Platform and/or the Company's Customers. With this Policy, the Company, as the data controller, informs you what to expect when processing your personal data when you visit and use the https://www.neocc.co/ website and/or work with the Platform.
The https://www.neocc.co/ website may contain links to third-party websites or make use of third-party products and services. This Policy does not apply to such third-party websites or to products or services offered by third parties that have their own privacy policies.
If you have any questions, you may contact the Company as follows:
NEO Cyber Camp, for the attention of Mr Maximilien VOHNOUT.
Address: 231 rue Saint-Honoré, 75001 PARIS, France.
Telephone: 01 88 84 03 03
E-mail address: support@neocc.co
Information on the competent data protection commission:
CNIL - 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07
Telephone: + 33 / 01 53 73 22 22
Website: www.cnil.fr
General provisions
Art. 1.
Definitions
For the purposes of this Policy:
1) 'personal data' means any information relating to an identified or identifiable natural person (hereinafter referred to as the 'data subject'); an 'identifiable natural person' is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity ;
2) 'processing' means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(3) 'pseudonymization' means the processing of personal data in such a way that it can no longer be attributed to a specific data subject without recourse to additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person;
(4) 'controller' means the Company;
(5) 'processor' means the natural or legal person, public authority, department or other body that processes personal data on behalf of the controller;
6) 'third party' means a natural or legal person, public authority, department or body other than the data subject, the controller, the processor and those persons who, under the direct authority of the controller or processor, are authorized to process personal data;
7) 'consent' of the data subject means any free, specific, informed and unambiguous expression of will by which the data subject accepts, by a declaration or by a clear positive act, that personal data concerning him or her may be processed;
8) 'personal data breach' means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Purposes of processing. Company activity. Processing principles. Reasons for processing
Art. 2.
The main purpose of this Policy is to meet the key requirements for the processing of personal data, as required by the Regulations.
This includes in particular the Regulations, the Personal Data Protection Act, as well as other applicable legislative and regulatory instruments adopted in the field of personal data protection.
The Policy will be reviewed and updated, if necessary, in the event of changes to the applicable legislation, as well as in the event of mandatory requirements by the competent supervisory body, namely the Commission Nationale de l'Informatique et des Libertés.
The purpose of this Policy is to facilitate the effective application of legislation on the processing of personal data, taking into account the specific nature of the Company's activities, i.e.: the continuing professional training of adults in the field of Cybersecurity, as well as all economic, legal, industrial, commercial, civil, financial, securities or real estate transactions directly or indirectly related to the Company's corporate purpose.
The Company processes personal data in accordance with the following principles:
- lawfulness ;
- good faith and transparency ;
- limitation of processing purposes;
- relevance to the purposes of processing and minimization of the data collected;
- accuracy and timeliness of data;
- limitation of storage in order to achieve the objectives ;
- the integrity and confidentiality of the processing and the need to ensure an appropriate level of security for personal data.
The reasons for collecting, processing and storing your personal data are, depending on the particular case:
- To provide you with additional information about the services we offer upon your express request using the form available on our website;
- To fulfill our obligations as data controller under a contract with you;
- Explicit consent received from you in the course of our business;
- Compliance with legal obligations applicable to the data controller;
- For the purposes of our legitimate interest or that of a third party.
On the basis of each of the above reasons, there are specificities in data processing, as described in detail below.
3. Processing the personal data of the Company's customers and partners
Art. 3. (1) Purposes of processing
In the performance of its activities and within the scope of its powers, the Company may process the personal data of individuals within the scope of its activity, namely: the continuing professional education of adults in the field of Cybersecurity, as well as all economic, legal, industrial, commercial, financial, movable or immovable property operations directly or indirectly related to the corporate purpose (hereinafter the “Activity”).
Insofar as the performance of these contracts involves the processing of personal data relating to individuals, such data will be processed to a minimum extent, sufficient only for the exact performance of the obligations under the respective contract.
Access to this information is granted to third parties only when required for the implementation of the Activity and/or by law.
The personal data received from Users is intended for the performance of the Company's obligations in the context of the training order placed, the reservation made by the Customer via the registration form or the contract concluded with the Customer. The order or service contract between the Company and the respective Customer constitutes the legal basis for the processing of personal data by the Company.
The information that the Company collects, including your personal data, enables it to:
- Communicate with you and adapt our services to your request;
- Carry out statistics in order to improve our products and services based on your use of them;
- To send you newsletters, promotional offers and solicitations (unless you refuse these services).
In any case, the Company only processes “ordinary” personal data of Users/Customers, as follows:
- For website Users who have filled in the contact form: surname, first name, e-mail address, telephone number;
- For Platform customers: full name, date of birth, physical address, e-mail address, telephone number, title, date of birth, diplomas, identity card;
- For newsletter subscribers: e-mail address.
With regard to evaluators, the Company is likely to process the following data: surname, first names, date of birth, e-mail address, physical address, telephone number, title, identity card, diplomas. In addition to this “ordinary” data concerning appraisers, the Company may be obliged to process “sensitive” data concerning appraisers, which is necessary for the proper performance of its services. The conditions for processing such data will be detailed and specified in the respective contracts signed with the appraisers concerned.
The https://www.neocc.co/ website and the Platform are intended for adults capable of entering into binding contracts.
Users under the age of 16, or who are otherwise incapable, must obtain the prior consent of their legal guardians before entering their data on the website and by e-mail.
The age of 16 may be lowered to 13 depending on the local regulations of the User's habitual residence, pursuant to Article 8 of the RGPD.
If your child under the age of 16 has provided personal information, please contact the Company without delay.
(2) Reasons and duration of processing
The Company processes and stores personal data for the period necessary to achieve the purposes of the processing.
For customer data, this period is set at three (3) years after completion of the last order or termination of the respective contract.
Certain data may, however, be kept for a different period in the form of an intermediate archive, in particular to ensure compliance with legal retention obligations.
E-mail addresses provided by Users in the context of their subscription to the Company's newsletter will be kept and used by the Company until the User unsubscribes, which he may do at any time, or for a period of three (3) years after the User's last contact with the Company.
In accordance with simplified standard number 48 drawn up by the CNIL, personal data relating to the management of customers and prospects will only be kept for as long as is strictly necessary to manage the commercial relationship.
However, data enabling proof of a right or contract to be established, or data kept in compliance with a legal obligation, may be archived in accordance with the legal provisions in force.
(3) Risk assessment
Given the nature of the services offered by the Company, the purposes for which personal data is collected, and the measures taken for data protection, the Company assesses the risk as minimal.
4. Cookie
The company uses cookies to better understand the customer's needs.
There are two ways in which you can express your browsing preference, bearing in mind that your choice is not final and can be changed at any time:
- On the https://www.neocc.co/ website, a Cookies tab is displayed on the bottom left-hand corner. This tab allows you to set the categories of cookies you accept or refuse;
- Directly from your web browser
You can configure your browser so that cookies are stored on your terminal or, conversely, that they are rejected. You can also configure your browser so that you are prompted to accept or reject cookies before a cookie is stored on your terminal.
The Company informs you that if you choose to disable cookies, you may not be able to log in and take full advantage of the products and services.
For more information on cookies and your rights, please visit the CNIL website: Cookies and tracers: what does the law say? | CNIL
5. Obligations of the Company to process personal data
Art. 5. (1) Principles applicable to the processing of your data
The Company is obliged to process personal data received:
1. Legally, in good faith and in a designated manner, indicating the purposes for which it is collected.
The Company's customers and partners are informed of the manner in which their personal data is collected, used, consulted or processed, as well as the extent to which the data is or will be processed, i.e. by filling in a training order form or by signing a service contract. Data subjects provide their data on the basis of the relevant grounds and in relation to the achievement of the respective purposes. The Company undertakes not to collect any personal data that is not necessary for the fulfillment of the respective purposes. The Company undertakes to process personal data provided to it by customers in a manner determined by the persons concerned.
2. Keeping data up to date while ensuring the timely correction and deletion of inaccurate personal data
The Company undertakes to keep the personal data provided up to date by periodically reviewing the data stored.
Where inaccuracies are identified, the Company will immediately take corrective action by contacting the person concerned.
3. Ensuring an appropriate level of security
The Company guarantees that access to the customer's personal file is granted only to him/her as the data subject and to the Company's employees and/or representatives responsible for fulfilling the purposes of data collection. The Company has taken appropriate and sufficient technical and organizational measures to protect the personal data provided.
4. Guaranteeing the rights of data subjects
At all times, the Company grants subjects the rights guaranteed by legislation, by informing subjects directly, by publishing information on the Company's website, as well as in the event of any request made by the subjects of personal data.
5. Data protection contact person
If you have any questions about data protection, please contact Mr Maximilien VOHNOUT :
Address: 231 rue Saint-Honoré, 75001 PARIS, France.
Telephone: 01 88 84 03 03
E-mail address: support@neocc.co
(2) Limited transfer of your data
The User's Personal Data will not be transmitted to commercial or advertising entities.
Your data is only accessible to the Company, its employees, service providers and, where applicable, its partners, when they need to know said information in order to meet the Company's obligations to its Customers or to carry out its business.
In certain circumstances, the Company may share some of your data. For example, the Company may share some of your data:
- When the company uses external service providers to provide services requiring access to this data.
Only the information strictly necessary for the performance of the services will be communicated to them.
- To comply with legal requirements or an obligation resulting from a decision by a regulatory authority or a court order;
- With auditing bodies (statutory auditors, departments responsible for internal audit procedures, etc.);
- In the event of debt collection operations, with the organizations, legal auxiliaries and public officials responsible for debt collection.
To date, the Company's main service providers are as follows:
Companies
Microsoft Office 365 (Outlook, Teams, OneDrive…)
Scaleway
Folk
Digiforma
Framer
Crisp
Tally
Services
Documents, emails, instant messages, logs…
Hosting of website and platform
Commercial information
Training management system
Hosting of website (using analysis data)
Support and ticketing software
Forms
Where
Europe
Europe
USA
Europe
Europe
Europe
Europe
Users/Customers are informed that, to date and in accordance with an EC decision, the United States provides an adequate level of protection for personal data. The Company undertakes to ensure that when storing, processing and protecting personal data, its partners endeavor to comply with the requirements and procedures applicable to the Company for the protection of personal data.
6. Measures taken by the Company to protect personal data
Art. 6.
In order to ensure the availability, authenticity, integrity and confidentiality of personal data stored or transmitted, as well as the security of associated services, and in particular to prevent data from being distorted, damaged or accessed by unauthorized third parties, the Company adopts technical and organizational measures adapted to the Company's activities and to the personal data processed (physical protection of premises, authentication procedures with secure personal access via confidential identifiers and passwords, logging of connections, encryption of certain data, antivirus, etc.).
In this respect, the Company takes all necessary precautions, in view of the nature of the data and the risks presented by the processing.
The security of your data includes the use of secure exchange protocols and storage on secure servers. However, given the risks inherent in this type of transmission, the Company cannot guarantee total security of the data you transmit via the Internet. The Company therefore urges you to exercise caution when transmitting such data
1) TECHNICAL MEASURES
The Company implements technical measures designed to ensure the protection of personal data by guaranteeing the capacity of the hardware base and the network/automated information system to withstand, with an appropriate level of security, accidental events, illegal or malicious actions that would lead to a breakdown in the availability, authenticity, integrity and confidentiality of data stored or transmitted, as well as the prevention of unauthorized access to work premises and software used by the Company.
The security of your data includes in particular the use of secure exchange protocols
(SSL protocol for the online payment platform, where applicable) and storage on secure servers.
2) ORGANIZATIONAL MEASURES
The Company adopts the following organizational measures:
1. minimization of personal data processing ;
2. transparency regarding the functions and processing of personal data.
3. PERSONAL PROTECTION
Personal protection is a system of organizational measures against persons who process personal data on the instructions of the data controller.
The Company adopts the following organizational measures:
1. the Company's employees are admitted to work related to the processing of data received after having been familiarized with the legislation in the field of personal data protection, the Policy and Guidelines for the Protection of Personal Data and the dangers to personal data processed by the Company;
2. provide training and instructions to employees concerning the processing and protection of personal data
3. sign confidentiality agreements;
4. monitoring work processes;
5. prohibit the use of personal e-mail;
6. inform employees of the rights of the subjects concerned.
The Company guarantees that any employee acting under the direction of the Company who has access to personal data may only process the data in accordance with the Company's instructions. All employees who have access to data receive training in data processing and protection.
4) DOCUMENT PROTECTION
Document protection is a system of organizational measures for processing personal data on paper.
The Company adopts the following document protection measures:
1. if applicable, the creation and regular maintenance of registers, which will be kept on paper;
2. determination of the conditions under which personal data is processed, with regard to the principles laid down in the General Regulation;
3. regulating access to registers;
4. controlling access to registers;
5. determination of storage conditions;
6. reproduction and distribution rules
7. destruction procedures;
8. inspection and control procedures.
7. Measures in the event of data security breaches
Art. 7.
The Company undertakes to record any breach, thus respecting the principle of responsibility set out in the Regulations, describing all details of the breach, including the causes, the persons concerned and the consequences.
In the event that the Company becomes aware of a breach of the security of your personal data, which could present a risk to your rights and freedoms, the Company undertakes to notify you of the relevant breach without undue delay, unless (i) the Company has taken appropriate technical measures to ensure that there is no risk to your rights or (ii) such notification would require a disproportionate effort.
In the event that the breach of security of personal data is likely to result in a risk to the rights and freedoms of individuals, the Company must notify the supervisory authority.
The assessment of whether there is a high risk is made on a case-by-case basis and after consultation, where appropriate, with the supervisory authority. The notification must contain a description of the nature of the breach, the name and contact details of the data protection officer; a description of the likely consequences of the breach and a description of the measures taken or proposed by the administrator to remedy the breach, including, where appropriate, mitigation measures. The content of the breach notification must be agreed with the supervisory authority. The risk assessment is made in the light of all the circumstances of the case, including but not limited to: the assessment of possible physical, material and immaterial damage, the likelihood of the infringement leading to discrimination, identity theft or fraud, financial loss, breach of confidentiality of personal data protected by professional secrecy, unauthorized removal of pseudonymization, or other significant adverse economic or social consequences ; or when data subjects may be deprived of their rights and freedoms or of exercising control over their personal data; if the personal data processed reveals health data; when evaluating personal aspects, in particular analyzing or forecasting aspects related to professional performance, economic situation, health, personal preferences or interests, reliability or behavior, location or movements in space, in order to create or use personal profiles; if the personal data belong to vulnerable persons, in particular children; or when the processing involves a large volume of personal data and affects a large number of data subjects.
The assessment includes :
- categorization of the type of breach: breach of confidentiality, breach of availability or breach of data integrity;
- assessment of the nature, sensitivity and volume of personal data;
- possibility of easy identification of the data subject;
- the seriousness of the consequences for individual subjects;
- the specific characteristics of the data subject;
- the number of people concerned.
Notification of data subjects for security breaches is not made if the Company has taken appropriate technical and organizational measures for the protection of specific data (for example, they have been encrypted), if subsequently the necessary measures have been taken to reduce the high risk to the rights and freedoms of data subjects or if notification would lead to disproportionate conditions, in the latter case a public announcement is made by publishing information about the breach on the Company's website. In all cases, the Company notifies the supervisory authority of its decision whether or not to report the breach. Whatever the nature of the violation and the degree of risk of infringement of personal rights, the Company undertakes to comply with the guidelines issued by the supervisory authority.
The Company has drawn up a personal data breach action plan, which guarantees the rapid restoration of availability and access to personal data in the event of a physical or technical incident. The personal data breach incident response plan identifies the employee/team responsible for responding and notifying the CNIL within 72 hours of becoming aware of the breach.
Given the number of employees in the Company / less than 250 /, the supervisory body must be consulted and, if necessary on its part, the Company will undertake to keep a register of personal data processing activities, which must contain the elements required by art. 30 (1) of the Information Regulations, namely:
1. Name and contact details of the data controller and data protection officer; 2. Purposes of processing; 3. Categories of data subjects and type of personal data processed; 4. Categories of data recipients; 5. Time limits for data processing; 6. List of technical data protection measures; 7. List of organizational data protection measures
8. Exercising your rights as a subject
Art. 8.
As a subject whose personal data is processed by the Company, you have the right to exercise your rights under art. 15-22 of the Regulations with the Company, as follows:
- Right to information: you have the right to be informed in detail of the conditions under which your personal data are processed upon receipt of the data, namely the purposes of the processing, the categories of personal data that are processed, the recipients of your data, the retention period, your data, your rights as a data subject, the existence of a complaint to the Supervisory Authority. In order to respect this right, this Policy is published on the Company's website and the Company invites you to consult it in the event of any problem.
- Right of access: You have a right of access to your personal data processed by the Company. If you wish to exercise your right of access, please contact the Company using the contacts below.
- Right of rectification and deletion: You have the right to ask the Company to correct inaccurate personal data concerning you, and to complete incomplete personal data concerning you. You have the right to ask the Company to delete your personal data when: the data is no longer necessary for the purposes for which it was collected, you have withdrawn your consent and there is no other legal basis for processing your data, the data has been processed unlawfully, the data must be deleted by virtue of a legal obligation.
- Right of portability: You have the right to ask the Company to provide you with personal data concerning you in a structured, widely used and machine-readable format. Where technically possible, the Company may, at your explicit request, receive instructions to transfer your data to another data controller;
- Right of objection and recourse: You have the right to object or lodge a complaint if you believe that your data is not being processed lawfully.
You can exercise your rights by contacting :
NEO Cyber Camp, for the attention of Mr Maximilien VOHNOUT.
Address: 231 rue Saint-Honoré, 75001 PARIS, France.
Telephone: 01 88 84 03 03
E-mail address: support@neocc.co
Requests submitted will be examined within thirty (30) calendar days by the Company.
If you consider that the Company is not complying with its obligations with regard to your personal data, you may submit a complaint or request to the competent authority.
In France, the competent authority is the CNIL, to which you can send an electronic request by clicking on the following link: https://www.cnil.fr/fr/plaintes/internet.
9. Final provisions
Art. 9.
This Policy has been adopted by a decision of Neo Cyber Camp dated January 14, 2025.
