Information notice on data protection for suppliers and partners

Last update: 08/06/2026

As part of the contractual relationship that binds you to the SQORUS Group as a supplier, partner, technical service provider or freelancer, personal data concerning you as an individual is collected and processed by the Group: your name, your professional contact details, your function within the supplier organization, your contractual data, your payment data, and elements associated with exchanges. The General Data Protection Regulation (GDPR) requires the Group to inform you precisely about these processing operations.

The present notice meets this obligation. It is brought to your attention by being appended to your main contract when you sign it. It is also permanently accessible at sqorus.com/protection-donnees-partenaires.

The notice is written in clear, accessible language. Should you nevertheless find any of the wording difficult to understand, or if you have any questions, please contact the Group’s Data Protection Officer (DPO) at dpo@sqorus.com.

1.1. Identity of the data controller

The person responsible for processing your personal data is :

If the contractual relationship is carried out by SQORUS Côte d’Ivoire or SQORUS Maroc, the local legal entity acts as data controller (see addendums A and B at the end of this notice).

1.2. Contact details of the Data Protection Officer

The SQORUS Group has appointed a Data Protection Officer (DPO) to act as a single point of contact for any questions or requests relating to your data:

1.3. Scope of the notice

This notice applies to all natural person contacts in the supplier and partner chain of the SQORUS Group:

• Legal representatives and signatories of suppliers and partners ;
• Commercial and operational contacts designated by suppliers and partners ;
• Accounting and financial contacts in charge of billing ;
• Freelancers and external consultants contracting directly with SQORUS as natural persons (autoentrepreneur status, sole proprietorship, self-employed);
• External technical subcontractors working with SQORUS ;
• Commercial partners in the Group’s alliances and consortiums.

The notice does not cover suppliers’ employees handled as part of a specific assignment under the responsibility of the end customer (case where SQORUS is a subcontractor and the supplier is a subsequent subcontractor) – this case falls under section 9 and the dedicated contractual clauses (article 28 GDPR).

2.1. Overview

This section presents all the processing of your data implemented by SQORUS in the context of the supplier or partner relationship, in its capacity as data controller. Each processing operation is described according to a standardized framework: purpose, legal basis within the meaning of Article 6 of the GDPR, categories of data, retention period.

The legal bases used are mainly :

• Performance of the supplier or partner contract (Article 6 §1.b GDPR) – for processing directly linked to the conclusion and performance of the contract, including pre-contractual measures ;
• Compliance with legal obligations (Article 6 §1.c GDPR) – for processing imposed by the Commercial Code (accounting), the General Tax Code (taxation), Law 2016-1691 of December 9, 2016 known as “Sapin II” (anti-corruption and third-party risk mapping), the Monetary and Financial Code (KYC) ;
• The Group’s legitimate interest (Article 6 §1.f GDPR) – for the overall management of the supplier panel, quality assessment, partnership prospecting, continuous improvement of the supply chain. A balance of interests test has been conducted for each processing operation of this type.

No sensitive data within the meaning of Article 9 of the GDPR is requested or processed. If you spontaneously provide such information (for example: extract from criminal record – KBis rarely includes this in standard France), it is kept only as long as necessary for verification and then deleted.

2.2. Onboarding and supplier referencing (VSA)

Processing sheet n°1 – Onboarding and VSA

2.3. Contractual and operational management

Processing sheet no. 2 – Supplier contract management

2.4. Billing, payment and accounting

Processing sheet no. 3 – Supplier invoicing and accounting

For freelancers and auto-entrepreneurs invoicing directly to individuals, bank details and personal identity are part of the data processed and stored under the same conditions as above.

2.5. Supplier evaluation and rating

Processing sheet no. 4 – Supplier evaluation

The evaluation is carried out by SQORUS teams (project managers, purchasing, operational teams) within a formalized framework. You can ask to be informed of the evaluation elements concerning you directly (as an identified contact) by exercising your right of access with the DPO.

2.6. Anti-corruption (Sapin II law) and KYC

Processing sheet no. 5 – Third-party and KYC risk mapping

3.1. Internal recipients

Within the SQORUS Group, access to your data is limited to people with a role in supply chain and supplier management:

• Purchasing teams – for sourcing, selecting, listing and managing the supplier panel;
• Operational teams using the service (project leaders, team managers) – for contract management and evaluation ;
• Administrative and financial teams – for billing, payment tracking, accounting ;
• General Management – for strategic suppliers and major commitment decisions;
• The Data Protection Officer (DPO) – for data protection issues ;
• Compliance Officer – for Sapin II and KYC verifications.

Intra-Group transfers may occur with subsidiaries SQORUS Côte d’Ivoire and SQORUS Morocco when the supplier relationship concerns them (e.g.: Group shared service provider, or coordinated Group purchasing).

3.2. Technical subcontractors

The Group relies on technical subcontractors for purchasing and supplier chain management. These subcontractors are selected according to a rigorous procedure and contractually framed by Article 28 GDPR clauses :

The complete and up-to-date list of subcontractors handling personal data is kept by the DPO and is available on request at dpo@sqorus.com.

3.3. External third-party recipients

Your data may be communicated to external third parties only in the following cases:

• Public and judicial authorities upon formal legal request (in particular under Sapin II and LCB-FT obligations);
• Group Councils (lawyers, chartered accountants, statutory auditors) within the strict framework of their mission;
• Financing and banking institutions for supplier payment transactions;
• Where applicable, the end customer when you are working as a subcontractor for one of our RT customers (see section 9).

Some processing operations involve transfers to countries outside the European Economic Area. These transfers are governed in accordance with the Group’s transfer policy (POL-GDPR-TRANSFERTS v1.0) :

The length of time we keep your data varies according to the nature of the processing and applicable legal obligations. Summary :

You have the following rights over your personal data, as provided for in Articles 15 to 22 of the GDPR:

7.1. Exercise channel

To exercise any of your rights, please send a request to the Group’s Data Protection Officer :

dpo@sqorus.com

7.2. Identification

For contacts with an established relationship with SQORUS, the use of the business email address is in principle sufficient identification. For requests concerning KYC or Sapin II elements, or in the event of doubt as to identity, the DPO may request a copy of an identity document; this copy will be deleted within 30 days of the closure of your request.

7.3. Response time

The DPO will reply within one month of receiving your complete request. This period may be extended by two months if your request is complex (typically: request concerning Sapin II/KYC verifications), with prior information within the one-month period.

7.4. Right to lodge a complaint

If you feel that your rights have not been respected, you can lodge a complaint with the competent supervisory authority:

• For France: Commission Nationale de l’Informatique et des Libertés (CNIL), 3 place de Fontenoy, 75007 Paris – www.cnil.fr ;
• For Côte d’Ivoire: Autorité de Régulation des Télécommunications de Côte d’Ivoire (ARTCI) ;
• For Morocco: Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP).

You also have the right to take legal action before the competent court, in accordance with Article 79 of the GDPR.

Article 22 of the GDPR provides for the data subject’s right not to be subject to a decision based exclusively on automated processing producing significant legal effects.

The SQORUS Group does not use any processing operations meeting this qualification for the management of suppliers and partners:

• Decisions to list, renew or terminate a relationship are taken by the Group’s Purchasing teams, if necessary by an internal committee, on the basis of a complete instruction;
• Decision-support tools (rating, scoring, screening of sanction lists) produce consultative indicators; the associated decisions are systematically subject to human analysis;
• No supplier application is rejected, and no contractual relationship is terminated, solely on the basis of an automated tool.

One particular contractual situation deserves specific attention: when the SQORUS Group, in its capacity as processor on behalf of a customer (data controller), resorts to a supplier or service provider (yourself) to perform all or part of a service involving the processing of the customer’s DCP. You then become a further processor within the meaning of Article 28 §2 and §4 of the GDPR.

9.1. Conditions for subsequent subcontracting

In accordance with Article 28 §2 GDPR, further subcontracting is subject to the prior authorization of the customer responsible for processing. This authorization may be:

• Specific – the authorization covers your named intervention;
• General – the authorization covers the category of subcontractor to which you belong, with compulsory prior notification of the customer in the event of additions or replacements, and the right to object.

The SQORUS Group undertakes to comply scrupulously with these obligations towards its RT customers, and to engage a subsequent subcontractor only under authorized conditions.

9.2. Cascading commitments

In accordance with Article 28 §4 GDPR, when you act as a subsequent subcontractor for a SQORUS customer, you are subject to the same data protection obligations as those contractually imposed on SQORUS by that customer. These obligations include:

• Process data only on documented instructions (instructions via SQORUS);
• Ensuring data confidentiality;
• Implement appropriate technical and organizational measures (Article 32 GDPR);
• Require you to obtain prior authorization for any subsequent second-tier subcontracting;
• Notify SQORUS of any data breach within a timeframe that allows SQORUS to meet its own obligations (24 hours to the RT customer);
• Cooperate in rights exercises, AIPDs, and audits;
• Return or delete data at the end of the service.

9.3. Contractual documentation

These commitments are formalized contractually by signing a GDPR appendix to the service contract, conforming to the SQORUS model aligned with the requirements of Article 28 GDPR. The present notice does not replace this contractual appendix; its sole purpose is to inform the natural person signing or dealing with the contract of the existence and scope of these cascading commitments.

The present notice is subject to change to take account of changes in regulations, developments in the tools used, or the addition or deletion of subcontractors. Information can be obtained as follows:

• Systematic versioning: each modification gives rise to a new numbered version (v1.0 → v1.1 → v2.0) with application date ;
• The current version is permanently accessible at sqorus.com/protection-donnees-partenaires ;
• Any substantial modification (new processing, new purpose, new major recipient, change in legal basis, significant change in retention period) is the subject of prior information, by email, to all suppliers and partners in an active contractual relationship;
• A purely formal modification (typographical correction) is traced in the version history without individual information.

The version applicable to a contractual relationship is that in force on the date the contract is signed, unless substantially modified at a later date, of which you will be informed.

This addendum supplements the main notice for suppliers and partners who have a direct contractual relationship with SQORUS Côte d’Ivoire.

A.1 Identity of the contracting entity

When the contractual relationship is carried out by SQORUS Côte d’Ivoire, this legal entity is the local data controller. The Group DPO remains your contact at dpo@sqorus.com.

A.2. Applicable legal framework

The processing of your data is governed simultaneously by :

• Ivorian law no. 2013-450 of June 19, 2013 on the protection of personal data;
• Ivorian legislation to combat money laundering, the financing of terrorism and corruption;
• The GDPR, when processing involves coordination with the Group in France (intra-group transfers).

The competent supervisory authority for Côte d’Ivoire is the Autorité de Régulation des Télécommunications de Côte d’Ivoire (ARTCI). You can lodge a complaint with this authority if you feel that your rights have not been respected.

A.3 Practical details

• The channel for exercising rights remains dpo@sqorus.com (Group DPO). A local SQORUS Côte d’Ivoire representative may be appointed to act as a relay;
• Transfers to France (Group) are governed by the mechanisms provided for by Ivorian law and by European Standard Contractual Clauses accompanied by a Transfer Impact Assessment;
• The terms and conditions described in the body of the notice apply, with the exception of any local legal terms that may differ.

This addendum supplements the main notice for suppliers and partners who have a direct contractual relationship with SQORUS Maroc.

B.1 Identity of the contracting entity

When the contractual relationship is carried out by SQORUS Maroc, this legal entity is the local data controller. The Group DPO remains your contact at dpo@sqorus.com.

B.2 Applicable legal framework

The processing of your data is governed simultaneously by :

• Moroccan law no. 09-08 of February 18, 2009 on the protection of individuals with regard to the processing of personal data;
• Moroccan legislation on the fight against money laundering, terrorist financing and corruption (Act no. 43-05 as amended);
• The GDPR, when processing involves coordination with the Group in France.

The competent supervisory authority for Morocco is the Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel (CNDP). You can lodge a complaint with this authority if you feel that your rights have not been respected.

B.3 Practical details

• The channel for exercising rights remains dpo@sqorus.com (Group DPO). A local SQORUS Maroc representative may be appointed to act as a relay;
• Transfers to France (Group) are governed by the mechanisms provided for by law 09-08 (prior authorization or CNDP notification depending on the case) and by European Standard Contractual Clauses accompanied by a Transfer Impact Assessment;
• The terms and conditions described in the body of the notice apply, with the exception of any local legal terms that may differ.

Version 1 – Clause to be included in the SQORUS supplier contract

To be included in all supplier contracts where SQORUS is the model issuer:

Version 2 – Mention in the VSA questionnaire (onboarding)

Version 3 – Specific clause for freelance/self-employed contracts

Adaptation for use in service contracts concluded directly with a natural person (freelancer, self-employed entrepreneur, sole trader). The natural person is both the contracting party and the person concerned: