Logo-SQORUS
SQORUS logo

Information notice on the protection of customer and prospective customer data

Last update: 08/06/2026

Preamble – why this manual?

As part of the commercial relationship that links you to the SQORUS Group, or that we plan to establish with your organization, personal data concerning you as an individual is collected and processed by the Group: your name, your professional contact details, your function, and the elements associated with commercial and contractual exchanges. The General Data Protection Regulation (GDPR) requires the Group to inform you precisely about such processing.

The present notice meets this obligation. It is brought to your attention by explicit reference in each commercial proposal and contract. It is also permanently accessible at sqorus.com/customer-data-protection.

The notice is written in clear, accessible language. Should you nevertheless find any of the wording difficult to understand, or if you have any questions, please contact the Group’s Data Protection Officer (DPO) at dpo@sqorus.com.

Important distinction – which notice applies to my data?

When SQORUS is the data controller: this is the case for your data as a sales contact (name, position, business details, commercial exchanges). The present notice applies.

When SQORUS is a subcontractor on behalf of your organization: this is the case when SQORUS processes, as part of a service, data for which your organization is the data controller (for example: data from your organization’s employees or customers processed as part of our TMA, Council or integration assignments). In this case, your organization’s notice applies to these people, not ours. Section 9 details this particular case and the commitments of SQORUS.

    1. Who is responsible for your data?

    1.1. Identity of the data controller

    The person responsible for processing your personal data is :

    Company name

    SQORUS SAS

    Legal form

    Simplified joint-stock company with capital of 1,088,400 euros

    Head office address

    25 rue de Maubeuge, 75009 Paris, France

    SIREN

    353 663 065

    Represented by

    Amadou NGOM, Chairman

    Website

    www.sqorus.com

    If the business relationship is contractually carried out by SQORUS Côte d’Ivoire or SQORUS Morocco (and not by SQORUS SAS), the local legal entity acts as data controller for this relationship, in coordination with the Group (see addenda A and B at the end of the notice).

     

    1.2. Contact details of the Data Protection Officer

    The SQORUS Group has appointed a Data Protection Officer (DPO) to act as a single point of contact for any questions or requests relating to your data:

    Name and function

    Olivier PROFIT – Group Data Protection Delegate

    E-mail address

    dpo@sqorus.com

    Postal address

    For the attention of the DPO – SQORUS SAS – 25 rue de Maubeuge, 75009 Paris

     

    1.3. SQORUS Group scope and quality

    The SQORUS Group acts both as a data controller (RT) and as a data processor (ST), depending on the situation:

    • As data controller, to manage the commercial relationship with your organization: prospecting, contract conclusion and execution, invoicing, marketing communications. Your data processed in this context is covered by the present notice;
    • As a subcontractor, when the SQORUS Group conducts a service mission (TMA, integration, Council, training) involving the processing of DCP for which your organization is data controller (for example: data of your employees on which SQORUS intervenes, data of your customers in a database that SQORUS administers). In this case, it is your organization’s notice that applies to data subjects, and the commitments of SQORUS in its capacity as ST are described in section 9 and formalized contractually (article 28 GDPR clauses).

     

    2. Which treatments concern you?

    2.1. Overview

    This section presents all the processing of your data implemented by SQORUS in the context of the commercial relationship, in its capacity as data controller. Each processing operation is described according to a standardized framework: purpose, legal basis within the meaning of Article 6 of the GDPR, categories of data, retention period.

    The legal bases used are mainly :

    • The performance of the commercial contract (article 6 §1.b GDPR) – for processing directly linked to the conclusion and performance of the contract;
    • The Group’s legitimate interest (Article 6 §1.f GDPR) – for B2B commercial prospecting (admitted by CNIL doctrine for professional contacts), for post-contractual commercial follow-up, for improving the offer. A balance of interests test was carried out for each processing operation;
    • Compliance with legal obligations (Article 6 §1.c GDPR) – accounting (10 years), anti-money laundering and anti-corruption (KYC), tax and reporting obligations ;
    • Your consent (article 6 §1.a GDPR) – for specific cases such as newsletter registration, the collection of testimonials or customer cases distributed externally, certain cookies not strictly necessary.

    The data processed is exclusively professional data: your identity in the context of your activity, your function, your professional contact details, elements of commercial exchanges. No sensitive data within the meaning of Article 9 of the GDPR is requested or processed.

     

    2.2. Sales prospecting and pre-sales activities

    Processing sheet n°1 – B2B sales prospecting

    Purpose

    Identify potential prospects interested in SQORUS services, make contact for B2B sales purposes, qualify opportunities, prepare and present service offers.

    Legal basis

    Legitimate interest of the Group to develop its commercial activity with professional contacts (Article 6 §1.f GDPR). In accordance with CNIL doctrine, B2B commercial prospecting (company to professional contact of another company) is based on legitimate interest, without the need for prior consent, subject to transparent information and respect for the right to object.

    Data categories

    Identity (surname, first name), position, organization, business contact details (email, business phone, organization address), area of expertise and responsibility, business history, opportunity qualifications, source of contact identification.

    Source of data

    Direct identification via trade shows and events, professional websites, LinkedIn-type platforms, compliant (legally constituted) sales files, recommendations and introductions, prospect base acquired from GDPR-compliant service providers.

    Shelf life

    3 years from the last contact or commercial action (CNIL recommendation for B2B prospecting). After that, unless you object, your data will be deleted or anonymized. You may object to commercial prospecting at any time, without reason (article 21 §2 GDPR) – your email address is then kept for 3 years on the objection list as proof of objection (POL-GDPR-CONSERVATION v2.0).

     

    2.3. Contract and customer relationship management

    Processing sheet no. 2 – Commercial contract management

    Purpose

    Contract conclusion (negotiation, formalization of reciprocal commitments), contract execution (operational monitoring, communication with designated contacts, governance points, project committees), management of contractual changes (amendments, renewals, end of relationship).

    Legal basis

    Performance of the commercial contract (Article 6 §1.b GDPR) – for contacts designated by your organization as SQORUS interlocutors in the context of the contract. Legitimate interest of the Group (Article 6 §1.f) for the overall management of the customer account.

    Data categories

    Identity, position and professional contact details of designated contacts (signatories, sponsors, project managers, operational contacts), history of contractual exchanges, meeting minutes, signed contractual documents, any amendments and official letters.

    Shelf life

    For the duration of the contract. At the end: 5 years (commercial and probatory prescription – article L. 110-4 of the French Commercial Code). After this period, data may be archived anonymously for statistical purposes or permanently deleted.

     

    2.4. HubSpot CRM – centralize sales data

    The SQORUS Group uses HubSpot, a CRM (Customer Relationship Management) platform that centralizes sales data: prospects, opportunities, active customers, exchange history and sales action tracking. This tool is the Group’s sales repository.

    Processing sheet no. 3 – HubSpot CRM

    Purpose

    Centralize all sales data in a unified tool for tracking prospects, opportunities and customers in contact with SQORUS. Provides sales teams with an up-to-date view of exchanges and the context of each contact.

    Legal basis

    Legitimate interest of the Group to have an efficient commercial management tool (article 6 §1.f). Contract performance (article 6 §1.b) for data associated with an active contract.

    Data categories

    All data described in §§ 2.2 and 2.3, centralized in the tool. Technical usage data (time-stamping of actions, traceability of SQORUS employee access).

    Shelf life

    Identical to the durations of the data it centralizes (see §§ 2.2, 2.3). Accounts that have been inactive for more than 3 years without an active contract are archived or deleted.

    HubSpot is an American company (Cambridge, MA, USA). Associated transfers outside the EU are governed by the mechanisms described in section 4 (DPF + Standard Contractual Clauses).

     

    2.5. Billing, payment and accounting

    Processing sheet n°4 – Billing and accounting

    Purpose

    Drawing up and issuing invoices for services rendered, monitoring payments, managing reminders and disputes where necessary, accounting for operations, associated tax declarations (VAT, annual accounting declarations).

    Legal basis

    Performance of the commercial contract (article 6 §1.b) and compliance with legal accounting and tax obligations (article 6 §1.c): Commercial Code articles L. 123-22 and L. 110-4, General Tax Code, applicable accounting standards.

    Data categories

    Identity and contact details of designated invoicing contacts (customer’s accounting/finance manager), your organization’s bank references where necessary for payment, content of invoices issued, payment follow-up and reminders.

    Shelf life

    10 years from the close of the financial year concerned (French Commercial Code, article L. 123-22). For items with contractual evidential value: 5 years (commercial prescription).

     

    2.6. Marketing communications and events

    Processing sheet no. 5 – Marketing communications

    Purpose

    Keep you informed of news, events, publications, Ebooks, webinars and offers from the SQORUS Group, on subjects relevant to your professional scope. Includes newsletter, invitations to events, and targeted communications on business themes.

    Legal basis

    Legitimate interest of the Group to inform professional contacts in a business relationship or who have expressed an interest (article 6 §1.f), for B2B contextual communication. Explicit consent (article 6 §1.a) when you subscribe to the newsletter via the website or a dedicated form.

    Data categories

    Identity, business contact details, job title, declared interests, history of emails opened or clicked (engagement statistics), participation in events.

    Shelf life

    For as long as you remain in a commercial relationship with SQORUS, or until you unsubscribe or object. After unsubscription: storage for 3 years for purposes of proof of opposition (POL-GDPR-CONSERVATION v2.0).

    All marketing emails include a clear and functional unsubscribe link. You may also exercise your right to object at any time, without giving any reason, by writing to dpo@sqorus.com.

     

    2.7. Monitoring customer satisfaction

    Processing sheet no. 6 – Customer satisfaction

    Purpose

    Measure the satisfaction of Group customers with our services, identify areas for improvement, and capitalize on positive feedback (customer cases, testimonials – always with the explicit prior agreement of the customer).

    Legal basis

    Legitimate interest of the Group to know and improve the quality of its services (article 6 §1.f). Explicit consent (article 6 §1.a) for the public dissemination of testimonials or customer cases mentioning you or your organization by name.

    Data categories

    Identity of respondent contact, position, organization, content of satisfaction questionnaire or interview, wording of any verbatims.

    Shelf life

    3 years after collection. Testimonials distributed with consent: duration of consent (revocable at any time).

     

    3. To whom is your data disclosed?

    3.1. Internal recipients

    Within the SQORUS Group, access to your data is strictly limited to people who have a role in the commercial relationship:

    • Sales teams (account managers, pre-sales engineers, sales managers) – for prospecting, negotiation and account follow-up;
    • The operational teams assigned to your project (project leaders, consultants, team managers) – for the execution of services ;
    • Administrative and financial teams – for invoicing, accounting and payment follow-up;
    • Marketing department – for communications, subject to respect for your preferences ;
    • General Management – for strategic accounts and major decisions;
    • The Data Protection Officer (DPO) – for data protection issues.

    Intra-group transfers may occur with subsidiaries SQORUS Côte d’Ivoire and SQORUS Maroc when required by the contract or project (coordination of mixed teams, involvement of consultants from subsidiaries). These intra-group transfers are governed by a GDPR intra-group agreement (ACC-GDPR-INTRAGROUPE) incorporating the European Commission’s standard contractual clauses (Decision (EU) 2021/914), guaranteeing a uniform level of protection.

     

    3.2. Subcontractors

    The Group relies on subcontractors to provide tools or perform certain services. These subcontractors are selected according to a rigorous procedure (Vendor Security Assessment) and contractually framed by Article 28 GDPR clauses imposing appropriate security and confidentiality measures.

    Service category

    Main subcontractor

    Perimeter

    Commercial CRM

    HubSpot (United States)

    Centralization of prospecting and customer relations data

    Collaborative suite

    Microsoft (M365: Outlook, Teams, OneDrive, SharePoint)

    Email exchanges, document sharing, videoconferencing

    Electronic signature

    Depending on service provider

    Dematerialized contract signature

    Billing and accounting

    Depending on ERP in place – details available on request

    Invoicing, accounting follow-up

    Marketing tools and events

    Depending on service providers used (emailing, event platforms)

    Newsletter distribution, event registration management

    Hosting and technical services

    According to contract – details available on request from the DPO

    Hosting certain internal tools

    The complete and up-to-date list of subcontractors handling personal data is kept by the DPO and is available on request from dpo@sqorus.com.

     

    3.3. External third-party recipients

    Your data may be communicated to external third parties only in the following cases:

    • Public and judicial authorities upon formal legal request;
    • Group Councils (lawyers, chartered accountants, statutory auditors) within the strict framework of their mission;
    • Financing and banking institutions for payment transactions;
    • In the event of partial or total divestment of a business or restructuring of the Group, subject to the guarantee of an equivalent level of protection and prior information of the persons concerned.

    Your data will never be communicated to external third parties for commercial, advertising or prospecting purposes.

     

    4. Is your data transferred outside the European Union?

    Some processing operations involve transfers to countries outside the European Economic Area. These transfers are governed in accordance with the Group’s transfer policy (POL-GDPR-TRANSFERTS v1.0) :

    Country / Zone

    Use cases

    Framing mechanism

    United States

    HubSpot (CRM), Microsoft (M365), certain SaaS tools

    European “Data Privacy Framework” adequacy decision of July 10, 2023 (Decision EU 2023/1795). In addition (“belt and suspenders”): Standard Contractual Clauses (EU Decision 2021/914).

    United Kingdom, Switzerland, Canada, Japan, Israel

    One-off subcontractors

    European adequacy decisions – recognized equivalent level of protection.

    Ivory Coast

    Group coordination with SQORUS Côte d’Ivoire; mixed consultants on certain assignments

    Standard Contractual Clauses (article 46 §2.c GDPR) + documented Transfer Impact Assessment (TIA).

    Morocco

    Group coordination with SQORUS Morocco; mixed consultants on certain assignments

    Standard Contractual Clauses (article 46 §2.c GDPR) + documented Transfer Impact Assessment (TIA).

    Other third countries

    Exceptional, one-off cases

    Mechanisms of Article 46 GDPR or limiting derogations of Article 49 GDPR. Prior notification of the DPO and documentation.

     

    All additional technical and organizational measures recommended by the EDPS are implemented: state-of-the-art encryption at rest and in transit, pseudonymization when the purpose allows, strict access management.

    5. How long will your data be kept?

    The length of time we keep your data varies according to the nature of the processing and applicable legal obligations.

    Summary :

    Data category

    Main duration

    Foundation

    Commercial prospecting data

    3 years from last contact

    CNIL Doctrine – B2B prospecting

    Active contract management data

    Contract duration

    Performance of the commercial contract

    Post-contract data

    5 years after end of contract

    Commercial statute of limitations – Code de commerce article L. 110-4

    Accounting and tax data (invoices, receipts)

    10 years

    French Commercial Code article L. 123-22

    Marketing communications data (newsletter subscribers)

    As long as you are a subscriber

    Consent / Legitimate interest

    Proof of opposition/unsubscription

    3 years after the opposition

    POL-GDPR-CONSERVATION v2.0 – proof of opposition

    Testimonials and case studies

    Duration of consent (revocable)

    Consent (article 6 §1.a)

    KYC data (anti-money laundering/corruption)

    5 years after the end of the contractual relationship

    Monetary and Financial Code

    The Group’s comprehensive retention policy (POL-GDPR-CONSERVATION v2.0) specifies the periods applicable to each category of data and the archiving and deletion mechanisms. It can be consulted on request to the DPO.

    6. What are your rights?

    You have the following rights over your personal data, as provided for in Articles 15 to 22 of the GDPR:

    Law

    Description

    Right of access (article 15)

    Obtain confirmation that your data is being processed and, if applicable, receive a copy of the data and related information.

    Right of rectification (article 16)

    Correct inaccurate data about you or complete incomplete data (e.g. change of function, organization, contact details).

    Right to erasure (article 17)

    Request the deletion of your data. This right may be limited by legal obligations (accounting, KYC) or contractual obligations (duration of an active contract).

    Right to limitation (article 18)

    Request that processing be “paused” in certain cases (e.g. accuracy disputes during verification).

    Right to portability (article 20)

    Receive your data in a structured, machine-readable format, for processing based on contract performance or your consent.

    Right to object (article 21)

    Object to processing based on legitimate interest, for reasons relating to your particular situation. Regarding commercial prospecting, you can object at any time and without reason (Article 21 §2 GDPR) – this is an absolute right.

    Withdrawal of consent

    When processing is based on your consent (newsletter, testimonials), you may withdraw it at any time, without affecting the lawfulness of the previous processing.

     

    7. How to exercise your rights

    7.1. Exercise channel

    To exercise any of your rights, please send a request to the Group’s Data Protection Officer :

    dpo@sqorus.com

    To unsubscribe from the newsletter, you can also use the unsubscribe link present in each marketing email. This action is treated as a formal objection within the meaning of Article 21 §2 GDPR.

     

    7.2. Identification

    For commercial contacts who have an established relationship with SQORUS, the use of your professional email address is in principle sufficient identification. In case of doubt, or for requests concerning particularly sensitive data, the DPO may request a copy of an identity document; this copy will be deleted within 30 days of the closure of your request.

     

    7.3. Response time

    The DPO will reply within one month of receiving your complete request. This deadline may be extended by two months if your request is complex or if the DPO is handling a large number of requests simultaneously. You will be informed of this extension and the reasons for it within the initial one-month period.

     

    7.4. Right to lodge a complaint

    If you feel that your rights have not been respected, you can lodge a complaint with the competent supervisory authority:

    • For France: Commission Nationale de l’Informatique et des Libertés (CNIL), 3 place de Fontenoy, 75007 Paris – www.cnil.fr ;
    • For Côte d’Ivoire: Autorité de Régulation des Télécommunications de Côte d’Ivoire (ARTCI) ;
    • For Morocco: Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP).

    You also have the right to take legal action before the competent court, in accordance with Article 79 of the GDPR.

    8. Automated decision-making and artificial intelligence

    Article 22 of the GDPR provides for the data subject’s right not to be subject to a decision based exclusively on automated processing that produces significant legal effects on him or her.

    The SQORUS Group does not carry out any processing that meets this qualification in the context of commercial relations:

    • No commercial decision (prospect qualification, discount agreement, relationship suspension, etc.) is taken exclusively by automated means;
    • Some in-house tools can integrate prioritization or data enrichment functions (for example, HubSpot can offer prospect scoring) – these aids are consultative, and the decision always rests with a human salesperson;
    • The Group’s in-house artificial intelligence tools (notably Microsoft 365 Copilot for internal productivity) can be used to prepare sales proposals or communications, but are not a substitute for human decision-making.

    This configuration is verified each time a commercial tool is deployed, and is the subject of a Data Protection Impact Analysis (DPIA) when the tool mobilizes a significant AI system.

    9. Special case – service contracts (SQORUS subcontractor)

    In the context of numerous services (Third-Party Application Maintenance, integration, Council, training, run), the SQORUS Group processes, on behalf of your organization, personal data for which your organization is the data controller. This typically involves :

    • Data relating to your employees (when SQORUS intervenes on an HRIS, an HR tool or an employee workstation);
    • Data relating to your customers (when SQORUS uses a CRM, a commercial database or a customer relations platform);
    • Business data processed by applications managed by SQORUS.

     

    9.1. Distinguishing responsibilities

    In this case, the responsibilities are as follows:

    • Your organization is responsible for processing this data – it determines the purposes and means of the processing;
    • The SQORUS Group is a processor within the meaning of Article 28 of the GDPR – it processes data on behalf of your organization, within the framework of documented instructions ;
    • Data subjects (your employees, customers, etc.) are informed by your organization by means of its own GDPR notice – not by this SQORUS notice.

     

    9.2. Contractual commitments of SQORUS as a subcontractor

    In accordance with Article 28 GDPR, the SQORUS Group contractually undertakes to comply with the following obligations (clauses formalized in our customer contracts or in dedicated contractual appendices):

    • Process data only on the basis of documented instructions from your organization;
    • Guarantee data confidentiality through confidentiality undertakings signed by all authorized SQORUS employees;
    • Implement appropriate technical and organizational measures (article 32 GDPR) – security reference framework aligned with ISO 27001 ;
    • Obtain your prior authorization, general or specific, before any further subcontracting (in particular: use of the SQORUS Côte d’Ivoire and SQORUS Maroc subsidiaries);
    • Assist you in fulfilling your obligations towards the persons concerned (in particular: exercise of rights, notification of violations within 24 hours, contribution to AIPDs);
    • To provide you, at your request, with the information needed to demonstrate compliance with Article 28 and to enable audits to be carried out;
    • At the end of the contract, return or delete the data according to your instructions.

     

    9.3. Documentary framework applicable on the SQORUS side

    The Group’s internal framework for guaranteeing these commitments includes :

    • POL-SEC-PSSI v2.0 – Information System Security Policy ;
    • POL-GDPR-PRESTATAIRES v1.0 – GDPR policy for service providers (framework for the subcontracting chain) ;
    • PRO-GDPR-VIOLATIONS v1.0 – Violation notification procedure (SQORUS ST → RT customer deadline: 24 hours) ;
    • PRO-GDPR-RIGHTS v1.0 – Procedure for exercising rights, including the transfer mechanism to the RT customer when a request is made to him.

    If you have any questions about SQORUS’ commitments as a subcontractor, please contact the Group DPO: dpo@sqorus.com.

    10. Leaflet updates

    The present notice is subject to change to take account of changes in regulations, developments in the tools used, or the addition or deletion of subcontractors. Information can be obtained as follows:

    • Systematic versioning: each modification gives rise to a new numbered version (v1.0 → v1.1 → v2.0 depending on the extent of the modifications) with application date ;
    • The current version is permanently accessible at sqorus.com/customer-data-protection;
    • Any substantial modification (new processing, new purpose, new major recipient, change in legal basis, significant change in retention period, change in hosting location) is the subject of prior information, by email, to all active commercial contacts in CRM;
    • A purely formal modification (typographical correction, update of an external reference with no impact on your rights) is traced in the version history without individual information.

    The version applicable to a contractual relationship is that in force on the date the contract is signed, except in the event of subsequent substantial modification, of which you will be informed in the manner described above.

    Addendum A – SQORUS Ivory Coast

    This addendum supplements the main notice for customers and prospects who have a direct contractual relationship with SQORUS Côte d’Ivoire. It specifies applicable local conditions.

     

    A.1 Identity of the contracting entity

    Where the business relationship is contractually carried out by SQORUS Côte d’Ivoire, this legal entity is the local data controller. The Group DPO remains your point of contact for any questions relating to data protection, at dpo@sqorus.com.

     

    A.2. Applicable legal framework

    The processing of your data is governed simultaneously by :

    • Ivorian law no. 2013-450 of June 19, 2013 on the protection of personal data, and its implementing texts;
    • The GDPR, when processing involves coordination with the Group in France (intra-group transfers, mixed teams, contacts residing in the EEA).

    The competent supervisory authority for Côte d’Ivoire is the Autorité de Régulation des Télécommunications de Côte d’Ivoire (ARTCI). You can lodge a complaint with this authority if you feel that your rights have not been respected.

     

    A.3 Practical details

    • The channel for exercising rights remains dpo@sqorus.com (Group DPO). A local SQORUS Côte d’Ivoire representative may be appointed to act as a relay;
    • Transfers to France (Group) or outside Africa are governed by the mechanisms provided for by Ivorian law and by European Standard Contractual Clauses accompanied by a Transfer Impact Assessment;
    • The terms and conditions described in the main body of the notice apply, with the exception of local legal terms that may differ (particularly in accounting and tax matters).

    Addendum B – SQORUS Morocco

    This addendum supplements the main notice for customers and prospective customers who have a direct contractual relationship with SQORUS Maroc.

     

    B.1 Identity of the contracting entity

    When the commercial relationship is contractually carried out by SQORUS Maroc, it is this legal entity that is responsible for local processing. The Group DPO remains your contact at dpo@sqorus.com.

     

    B.2 Applicable legal framework

    The processing of your data is governed simultaneously by :

    • Moroccan Act No. 09-08 of February 18, 2009 on the protection of individuals with regard to the processing of personal data, and its implementing regulations;
    • The GDPR, when processing involves coordination with the Group in France.

    The competent supervisory authority for Morocco is the Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel (CNDP). You can lodge a complaint with this authority if you feel that your rights have not been respected.

     

    B.3 Practical details

    • The channel for exercising rights remains dpo@sqorus.com (Group DPO). A local SQORUS Maroc representative may be appointed to act as a relay;
    • Transfers to France (Group) or outside Africa are governed by the mechanisms set out in law 09-08 (prior authorization or CNDP notification depending on the case) and by European Standard Contractual Clauses accompanied by a Transfer Impact Assessment;
    • The terms and conditions described in the body of the notice apply, with the exception of any local legal terms that may differ.

    Appendix – Short terms for proposals, contracts and forms

    The short disclosures below are intended to be integrated into the various points of commercial collection (commercial proposals, contracts, web forms). They provide condensed information in line with the layered approach recommended by the EDPS (Transparency Guidelines 03/2017).

     

    Version 1 – Clause to be included in the SQORUS commercial contract

    To be included in all commercial contracts where SQORUS is the model issuer. To be placed as an end clause or appendix:

    Protection of personal data

    Within the framework of this contract, the SQORUS Group, in its capacity as data controller, collects and processes the personal data of the commercial and operational contacts designated by the Customer (signatories, sponsors, project managers, invoicing contacts, etc.).

    The legal bases for such processing are the performance of this contract (Article 6 §1.b GDPR), the Group’s legitimate interest in commercial management and account monitoring (Article 6 §1.f GDPR), and compliance with legal obligations (Article 6 §1.c GDPR), in particular accounting and tax.

    Data subjects have extensive rights over their data: access, rectification, deletion (subject to legal time limits), limitation, portability, opposition. To exercise these rights or if you have any questions: dpo@sqorus.com.

    Full information is provided in the SQORUS Group’s Customer and Prospective Customer Notice (NOT-GDPR-CLIENT v1.0), available at sqorus.com/protection-donnees-clients. This notice constitutes the detailed information required by Articles 13 and 14 of the GDPR. The Customer acknowledges having received a copy and certifies having brought this information to the attention of its contacts designated in this contract.

    Special case – SQORUS subcontractor :

    Where the performance of this contract involves the processing by SQORUS of personal data for which the Customer is the data controller (for example: data from its employees, customers, or prospects), the commitments of SQORUS in its capacity as processor within the meaning of Article 28 GDPR are specified in [REFERENCE APPENDIX ARTICLE 28] of this contract. The information notice to data subjects within this scope is the Customer’s responsibility.

     

    Version 2 – Mention for sales proposal and first contact

    Your data are processed by SQORUS in the context of B2B commercial prospecting.

    We have identified your job title and business contact details for the purpose of presenting our offers. The legal bases are the Group’s legitimate interest in B2B prospecting (Article 6 §1.f GDPR) and, where applicable, pre-contractual measures at your request (Article 6 §1.b GDPR).

    Retention: 3 years from last contact, in accordance with CNIL policy.

    You may object to commercial prospecting at any time, without giving any reason, by writing to dpo@sqorus.com.

    Detailed information: NOT-GDPR-CLIENT notice accessible at sqorus.com/protection-donnees-clients

     

    Version 3 – Mention for contact web form (sqorus.com)

    Protecting your data

    The data you provide in this form is processed by SQORUS SAS, the data controller, to respond to your request for contact or quotation. The legal basis is the performance of pre-contractual measures taken at your request (Article 6 §1.b GDPR).

    To exercise your rights (access, rectification, deletion, limitation, portability, opposition) or if you have any questions: dpo@sqorus.com.

    Complete notice: sqorus.com/customer-data-protection

    ☐ I have read the SQORUS Customer and Prospect Information.

     

    Version 4 – Footer for marketing emails

    To be included at the foot of all Group newsletters, event invitations and marketing communications:

    You are receiving this email because you have a business relationship with the SQORUS Group or have expressed an interest in our publications. The legal basis is the Group’s legitimate interest in informing its business contacts (Article 6 §1.f GDPR).

    → Unsubscribe [UNSUBSCRIBE LINK]

    → Full notice: sqorus.com/customer-data-protection

    → For questions: dpo@sqorus.com

    SQORUS SAS – 25 rue de Maubeuge, 75009 Paris – SIREN 353 663 065

     

    Version 5 – Explicit consent for testimonials and case studies

    To be used to obtain a customer’s explicit and revocable consent to the publication of a testimonial or customer case mentioning him or her by name:

    Consent to the publication of a testimonial

    I, the undersigned, [NAME, FIRST NAME, POSITION, ORGANIZATION] expressly consent to the public dissemination of the following testimonial/case study, the content of which I have read and approved:

    [CONTENT TO BE VALIDATED]

    Agreed terms of distribution :

    ☐ sqorus.com website

    ☐ SQORUS marketing materials (brochures, proposals)

    ☐ Group social networks

    ☐ Press releases or events

    This consent is given on the basis of Article 6 §1.a GDPR. I may withdraw it at any time by writing to dpo@sqorus.com, without affecting the lawfulness of distributions prior to the withdrawal.

    __________, the __________

    Signature :