The legal notice and privacy policy detail our collection, use and protection of your personal data to ensure your privacy.

Privacy Policy

Data protection can be reached at

The data processing officer has an information, advisory and internal control role. He or she is the person responsible for personal data. He/she keeps and makes accessible a register. He/she ensures IT security and simplifies formalities with the CNIL. He is the guarantor of legal obligations. He informs the data processors and subcontractors and has the full support of the Serenicity company to carry out his missions.

Responsibilities and modalities

Our processors are informed of their obligations and responsibilities. Our personal data controller ensures the existence of contractual clauses reminding the subcontractor's obligations in terms of security, confidentiality and protection of personal data processed. The traceability of personal data entrusted to our subcontractors is operational.

The security of our information system is based on a policy that includes, among other things, the security measures implemented for the protection of personal data. It includes the following measures:

  • Authentication of our users with complex passwords via a highly secure protocol that automatically blocks sessions after several unsuccessful login attempts. Our users are not administrators of their sessions.
  • Definition of access rights for access to data and applications by assigning users to security groups.
  • Supervised antivirus, firewall and smart shield.
  • Installation of up-to-date security patches and automation of routine administration tasks.
  • Supervised backup with a disaster recovery plan.
  • Our computers' disk drives are encrypted with Microsoft Bitlocker.

Your information is kept for a maximum of 5 years.

The processing of personal data is based on a legitimate legal basis in full compliance with the activity of our company. We only collect personal data that is strictly necessary for our business. Consent is obtained when signing our commercial documents.

In addition, you have the right to access your information (four times a year), rectify it, request its correction or deletion, and exercise your right to limit the processing and portability of your personal data.

For this, you can contact our data controller:

  • By e-mail:
  • By post to the following address: Serenicity, 1 rue de l'informatique, 42000 Saint-Etienne.


We have not identified any processing of personal data that is likely to result in high risks to the rights and freedoms of data subjects.

If a new processing operation were to be set up then we have planned to carry out a Data Protection Impact Assessment ( DPI).

This DPI allows for the creation of a privacy compliant processing in accordance with the RGPD. It will be carried out before the processing of personal data is implemented and will be based on an iterative process. Regular analyses will allow for corrections to be made to the processing, particularly in the event of major changes to its modalities.

This DPI will meet the following 9 criteria:

  • Evaluation or rating
  • Automated decision with legal or similar significant effect
  • Systematic monitoring
  • Sensitive or highly personal data
  • Personal data processed on a large scale
  • Cross-referencing of data sets
  • Data concerning vulnerable persons
  • Innovative use or application of new technological or organisational solutions
  • Exclusion from a right, service or contract.

Internal procedures

In the event of a personal data breach for which we are responsible, our personal data controller will notify the data protection authority within 72 hours and the individuals concerned as soon as possible. This notification will be made using the "Personal Data Breach Notification Form" available on the CNIL website.

Right from the design of an application or processing, the protection of personal data is systematically taken into account in our company. This process is managed by our personal data controller. Each new processing operation is reviewed and entered into our register. If a processing operation deals with sensitive data, then a PIA is set up. Unnecessary data is removed from our processing.

In the event of a change of processor, our data controller ensures that the new processor is in compliance with the GDPR. It also ensures that the replaced processor destroys all personal data in its possession.

An awareness of personal data protection for all employees of our company is carried out by our personal data controller once a quarter by electronic means.