Background and issues
The Company (hereinafter referred to as "The Company") implements an Information and Communications System, which is needed to carry out its activities, and includes a computer and telephone network.
The Company's Information and Communications System is comprised of the Company's information technology tools, communication and reprography mediums, including: computers (desktop or laptop computers), peripherals, removable media (USB flash drives), printers with or without a print server, personal digital assistants, a computer network (servers, routers and connectors), software, photocopying machines, telephones, a hotline, files, data and databases, messaging systems, intranet, extranet, internet access, a web- based RH management application, interactive service plans. For network security purposes, the personal tools of users connected to the Company network or containing professional information about the Company, are also considered as part of the Information and Communications System (hereinafter referred to as ?The Information and Communications System?).
The Company's Information and Communications System hosts multiple data, including financial, commercial and contractual data, as well as data relating to the staff, the customers and the prospects of the Company. Some of this information is of a confidential and sensitive nature.
This data exploitation is based more specifically on the Information and Communications System, which is available to Company employees and collaborators for the performance of their duties.
The improper use of the Information and Communications System may have extremely serious consequences. It increases the risk for data confidentiality, integrity and security breaches (virus, internal network intrusions, data theft) and, consequently, the risk of the Company incurring liability.
Given the importance of protecting its Information and Communications System and the data it contains, the Company requires all the users of its Information and Communications System to comply with the Information Technology Charter (hereinafter referred to as the ?Information Technology Charter?).
The Information Technology Charter defines the access conditions and rules for using the Company's Information and Communications System and the data processed by the Company. Hence its objective is to define the rights and duties of the Company's Information and Communications System users.
The Information Technology Charter also aims to raise the awareness of users as to the risks associated with the use of information and communications tools as regards the integrity, confidentiality and security of processed data.
Lastly, the Information Technology Charter aims to inform each user of the applicable security rules and the means used by the Company to ensure controlled access to and use of the Information and Communications System.
Article 1 - Scope of application
The Information Technology Charter applies to any person authorised to access and use the Company's Information and Communications System for his/her professional activities, whatever his/her status may be, including corporate officers, employees, interim staff, interns, service provider staff, occasional visitors to the Company (hereinafter referred to as ?Users").
The Information Technology Charter also applies to the personal use of the Information and Communications System by Users, which is tolerated under the conditions set out in the Information Technology Charter.
Article 2 - General rules for the use of the Information and Communications System
Each User may access and use the Information and Communications System as needed in the pursuit of his/her professional activity under the conditions defined hereunder in the Company's Information Technology Charter.
It is incumbent upon each User to use the Information and Communications System at his/her disposal in a rational, responsible and loyal manner, paying especial attention to avoiding or facilitating data saturation, data leakage for personal gain or the breach of data confidentiality and integrity.
2.1. Confidentiality of access parameters
Access to some of the Information and Communications System elements (particularly messaging or voicemail systems, workstation sessions, the network, certain applications or interactive services, software) is protected by connection parameters: username and password.
These connection parameters are personal to the User and must remain confidential.
The User must not request, appropriate, modify or attempt to decrypt another User's password.
As far as possible, these connection parameters should be memorised by the User and not be kept in any form whatsoever. Under no circumstances must these connection parameters be transferred, or entrusted to third parties or be readily accessible. They must be entered by the User each time he/she accesses the Information and Communications System and not retained in the System's memory.
The selected password needs to have a certain degree of complexity and should be regularly changed (every three (3) months). It should be comprised of a minimum of eight (8) characters, combining letters, numbers and special characters. It must of course not include the User's surname or first name/s, or those of his/her children or spouse.
2.2. General security rules
The User must have a responsible and loyal attitude when making use of the Information and Communications System.
He/she is responsible for the data entrusted to him/her for the performance of his/her duties and should contribute to their protection.
He/she shall comply with the following security rules:
- Apply the security measures imposed by the Company before importing any external data;
- Inform the Company's IT Department of any suspected or attempted breach of its user account(s) (workstation, messaging account, smartphone, etc.) and in general, of any malfunction observed or suspected;
- Immediately inform the Company management's IT department of any theft or loss of any information and communications tool made available by the Company;
- Lock down access to tools entrusted to him/her or to his/her own tools if they contain professional information, as soon as he/she leaves his/her work station even temporarily;
- Ensure the security and innocuity of the tools used;
- Ensure compliance with legislation on the protection of intellectual property rights, the secrecy of correspondence, corporate confidentiality, the confidentiality of personal data, the right of publicity (personality rights);
- Periodically save the files stored on the tool/s used;
- Refrain from changing the workstation's configuration;
- Refrain from installing, copying, modifying or destroying software without the prior consent of the Company's IT department;
- Refrain from copying data onto an external device without the consent of the Company's management;
- Refrain from accessing or attempting to access or delete information that does not belong to him/her if it is not required for the tasks which the User has to carry out;
- Refrain from accessing or attempting to access data and Internet sites that are forbidden;
- Refrain from modifying the Information and communication tools made available by the Company, their operation, configuration, or physical or software configuration;
- Connecting or disconnecting the Information and communication tools network made available to him/her by the Company, without being authorised to do so by the Company's IT department;
- Moving the information technology tool made available to him/her by the Company, unless it is a mobile tool;
- interfering with the operation of information and communication tools;
- Comply with procedures predefined by the Company for the supervision of data copying operations onto removable media, by obtaining the prior consent of his/her line manager, and by following the security rules;
- Abide by the restrictions associated with the maintenance of the Information and Communications System;
- Abstain from concealing one's identity or assuming another user's identity.
Furthermore, you are reminded that visitors may not access the Company's Information and Communications System without the prior consent of the Company's Management and IT department.
Outside collaborators authorised to access the Information and Communications System shall ensure that their own staff and subcontractors (if any) comply with the Information Technology Charter.
If an employee is absent, the employer (or manager) may, for purposes of the Company's services or operations, read employees? professional emails either by connecting directly to the absent employee?s personal computer or by accessing the emails from the manager's computer via the messaging service of the absent employee and /or by making them available to a third party collaborator of the Company.
Only the IT or HR manager is authorised to reset the session password and pass it on to the manager.
Article 3 - Access and use of the internet
In the context of their professional activity, Users may access the internet and consult any websites that have a direct and necessary link to their professional activity.
An occasional and reasonable use, for personal motives, of websites whose content does not contravene the law, undermine public order or the interests and reputation of the Company, is acceptable.
For security reasons, access to certain websites may be limited or prohibited by the Company?s management. The Company?s IT department is authorised to impose browser configurations and to restrict the uploading of certain files.
The contribution of Users to discussion forums, instant chat systems, blogs or sites is forbidden/authorised subject to the prior authorisation of the Company's management.
As such a mode of expression is likely to engage the Company's liability, increased vigilance is required on the part of Users.
Users may under no circumstances carry out any illegal activity or activities which undermine the Company's interests (including on the internet).
Article 4 - Electronic messaging
The Company's IT department assigns a professional email address to corporate officers and staff members for the performance or their professional activities.
Electronic messages received on the professional mailbox are subject to a virus scan and an anti-spam filtering service. Users who are employees are invited to inform the Company's management of any spam filter malfunction.
4.1. General advice
The Users? attention is drawn to the fact that an electronic message carries the same weight as a hand-written letter and may be rapidly transmitted to third parties. Compliance with a certain number of principles is important in order to avoid malfunctions in the Information and Communications System, and to avoid incurring the Company's or/and the User's civil or criminal liability.
In terms of hierarchical structure, the sending of electronic messages to third parties follows the same rules as the sending of postal correspondence. If there is any doubt as to the sender authorised to send the message, the Company's management should be consulted.
Before sending a message, it is essential to check the identity of the message recipients and to establish whether they are entitled to receive the information sent to them, and in particular, if they are entitled to give their consent to receive commercial mailings.
If a message has been sent to multiple recipients, the User must comply with provisions against unsolicited bulk mailings and the rules relating to the protection of personal data. He/she must also consider the possibility of concealing certain recipients, by blind copying them, to prevent the email address from being communicated to all the other recipients.
If a mailing list is sent, it is important to check the list of subscribers, the subscription terms and particularly the recipients? consent to receive commercial mailings.
Increased vigilance of the Users is required in the case of confidential information. In such a case, the messages must be encrypted, in accordance with the recommendations of the Company's IT department.
The risk of delay, or non-delivery, or the automatic deletion of electronic messages should be taken into account when sending important correspondence. Important messages must be sent by registered mail or electronically signed.
Users must ensure compliance with laws and regulations, specifically in regard to the protection of intellectual property rights, personal data and third party rights. Electronic correspondence must not include any illegal element such as defamatory, insulting, deceptive statements that may constitute acts of unfair or parasitic competition or breach the personal data of data subjects.
The format of professional messages must comply with rules defined by the Company's management, particularly as regards the formatting and signature of messages.
If the User is absent for more than 48 hours, he/she must set up an answering machine.
If the User is absent, the Company's IT department may occasionally transfer a strictly professional electronic message to the line manager, (identified as such by its object and/or its sender) to ensure that there is no interruption in the operation of the service.
Users can use a web browser (Webmail) to access their mailboxes remotely. In such cases, files that would be copied to the User's computer must be deleted as soon as possible from that computer. The line manager cannot access the User's other messages. The User in question is informed as soon as possible of the list of messages that have been transferred.
Should the User be absent for a longer period (more than 3 days), the line manager may ask the IT department, once it has received the manager's approval, to transfer the messages that have been received. Except in cases of force majeure, the User is also required to transfer to the Company or allow it to retrieve any information or occupational code required to ensure the continuity of the service in his/her absence (such as passwords and computer codes).
4.2. Technical limitations
For technical reasons, it is only possible to send electronic messages to a limited number of recipients, determined by the Company's management.
This limitation may be lifted temporarily or definitively upon request sent to the Company's IT department.
The maximum size, number, and type of attachments are limited by the IT department and validated by the Company's management to avoid overloading the messaging system.
For storage capacity reasons, electronic messages are retained on the messaging server for a maximum duration of 2 years. After this deadline, they are automatically deleted. If the User wishes to keep messages beyond this time period, it is up to him/her to make a copy.
4.3. Personal use of the messaging system
The use of messaging for personal ends is tolerated, on condition that it complies with applicable legislation, the principles laid down by the Information Technology Charter, and does not affect the User's work or the security of the Company's computer network.
Personal messages sent should be expressly marked as "private? in their subject line and classified in a folder marked "private? as soon as they are sent. Personal messages received must also be classified, as soon as they are received, in a folder marked ?private?.
In case of failure to comply with these rules, messages are presumed to be of a professional nature.
The transfer of professional messages and their attachments, on personal messaging systems, is subject to the same rules as those applicable to copies of data on external storage media.
4.4. Account deletion
If a User leaves, his/her email account should be placed on an answering machine for a 6 month period.
After this period, the email account will be deleted. The Company reserves the right to view professional messages before the account is deleted, to ensure the continuity of the service.
4.5. The use of electronic messaging to communicate with employee representative bodies
In order to avoid messages to employee representative bodies being intercepted, these messages should be identified and classified as personal messages.
4.6. Unsolicited email
The Company has a tool which enables it to fight against the proliferation of unwanted messages (spam). To avoid further overloading of the network caused by spam, Users are encouraged to limit their prior express consent to receive commercial messages, newsletters, subscriptions or other messages, and to only subscribe to a limited number of mailing lists, especially if they are not of a strictly professional nature.
Article 5 - Telephony
The Company may place a landline/or mobile phone at the disposal of the User for the performance of his/her professional activity.
The personal use of the landline or mobile telephone is tolerated on condition that the time spent and the call volumes remain within reasonable limits.
Users? assignments are taken into account when determining restrictions on their use of landlines. For example, certain telephones may only be used for national calls, where others can be used to make international calls.
The Company checks that consumption does not exceed the limits provided for in the contracts signed with the operators.
If consumption is excessive, the IT department at the request of the Company's management, reserves the right to access the complete number of individual readings/statements and to suspend the international option in case of improper use.
The use of the Skype tool
Skype is a rapid communication tool for members of the same company. A Skype account is created via the professional email address: This tool must therefore only be used for professional purposes.
When a document is received (Word, Excel, etc.), check that the sender is reliable before opening the attachment.
If necessary, Management may record and view all the conversations.
Article 6 - Mobile tools
Mobile tools are mobile technical tools (i.e. portable computers, portable printers, telephones, smartphones, CD, ROM, USB key, tablet).
Whenever technically possible, sensitive information stored on these devices must be protected, mainly by the use of passwords or encryption.
When a portable computer is located in the User's office, his/her computer must be physically attached to an anti-theft device provided for this purpose (except when the User is physically present in the office).
There are risks associated with the use of mobile tools, especially portable computers and smartphones, as regards the confidentiality of messages, especially if these tools are lost or stolen. When these tools are not used for a few minutes, they must be locked in such a way as to prevent any unauthorised access to the data they contain.
The User is required to ensure the security of the mobile tools at his/her disposal. He/she must not facilitate their theft, by putting them in a place where they can be seen.
Article 7 - Procedures specific to the loan of tools
The User must input information and sign a register, held by the Company's IT department, recording the return of the mobile tool or the provision of a specific tool needed for a meeting (such as a video projector).
The User is responsible for the safe custody of such tools and must inform the Company's IT Department in case of an incident (loss, theft, damage/deterioration) so that the theft may be reported, or a complaint submitted. He/she guarantees the security of tools entrusted to him/her and must not circumvent the security policy set up for these same tools. The return of the tool is consigned in the register.
Article 8 - Protection of personal data
8.1. Reminder of the legal framework
EU regulation 2016/676 of the European Parliament and the Council, of April 27, 2016, on the protection of natural persons as regards the processing of personal data and the free flow of data, and repealing the 95/46/CE Directive (hereinafter referred to as the ?General Data Protection Regulation?), and Act n°78/17 of January 06, 1978 on Data Processing, Files and Individual Liberties (amended) (hereinafter referred to as ?Data protection Act?), define the conditions under which personal data may be processed.
Failure to comply with the General Data Protection Regulation, entails administrative fines of up to twenty (20) million Euros for more serious offences or four (4) % of the worldwide annual turnover of the company, whichever is greater.
Furthermore, the breach of the rules on the protection of personal data can lead to criminal sanctions of up to five (5) years in prison and a ?300 000 fine, in accordance with the provisions of the Criminal Code.
8.2. Confidentiality rules
In accordance with Articles 34 and 35 of the Computer and Liberties Law, and Articles 32 to 35 of the General Data Protection Regulation, Users must take all precautions that comply with the practises and state of the art in the course of their duties, in order to protect the confidentiality of data to which they have access, and specifically to prevent it from being revealed to persons not expressly authorised to receive this information.
Users undertake to:
- Respect and ensure the integrity and confidentiality of data to which they have access and/or which is in their possession;
- Only reveal or transfer information they have access to and/or are in possession of, to people who are duly authorised, because of their functions, to receive these communications, whether they are private, public, natural or legal persons;
- Refrain from using data to which they have access for purposes other than those related to their functions;
- Refrain from making annotations to the exploited data that might undermine human dignity or refer to the racial or ethnic origin, political, philosophical or religious opinions, union membership, health, life or sexual orientation of the data subjects;
- Refrain from making a copy of this data unless it is required for the performance of their duties;
- Take all measures that comply with the practises and the latest technology, to preserve the physical security of this data;
- Ensure, that within the limits of their functions, only secure communication means are used to transfer this data;
- In case of termination of service, return all data, computer files and all data carriers relating to this data.
These undertakings, which remain in force during the User's entire term of office, shall remain in force indefinitely after his/her termination of service for whatever cause, in so far as they concern the use and communication of personal data.
Non-compliance with these undertakings exposes Users to disciplinary and criminal sanctions in accordance with applicable regulations under Articles 226-16 to 226-24 of the Criminal Code.
8.3. Appointment of a Data Protection Officer
The Company has appointed a Data Protection Officer:
Guy SADOUN | Data Protection Officer
TEL: +33 1 81 92 10 22 / +33 6 64 47 83 44
Hereinafter referred to as the ?DPO?.
The DPO's mission is to ensure the proper enforcement of rules originating from the General Data Protection Regulation and especially the rights of data subjects. Data subjects have a right of access, rights to erasure, to rectification, to restriction of processing and to object to processing, to the withdrawal and deletion of their personal data as well as the right to give instructions on what happens to their personal data after death. They have the right not to be subject to a decision based solely on automated processing, the right of data portability and the possibility of filing a claim before the French National Commission for Information Technology and Civil Liberties (CNIL).
In the case of difficulties encountered in exercising these rights, data subjects may apply to the DPO.
One of the DPO's functions is to advise and inform Users of their obligations under the General Data Protection Regulation, and other national provisions, or under European Union law in regard to the protection of data rights.
The DPO is at the disposal of the Users to provide them with information and answer all their questions concerning the General Data Protection Regulation, and their obligations in regard to the protection of personal data.
Users must immediately inform the DPO of any breach of security or of the protection of personal data, that comes to their knowledge or that they suspect.
Article 9 - Monitoring of Users? activities
9.1. Automatic filtering systems
As a preventative measure, automatic filtering systems are implemented to reduce the flow of Company information and ensure the security and confidentiality of data. This is accomplished by website content filtering, eliminating unsolicited emails, blocking certain protocols (peer to peer, instant messaging).
9.2. Automatic traceability systems
The Company's IT department, without prior notice, conducts the investigations needed to troubleshoot problems in the Information and Communications System or any one of its components, which could compromise its normal operation or integrity.
The Information and Communications System is based on log files created for the most part automatically by Information Communication Technology tools (ICT tools). These files are stored on computer workstations and on the network. They record all connections and attempted connections to the Information and Communications System. These files include the following information: dates, work stations and object of the event.
They contribute to the proper functioning of the Information and Communications System, and protect the security of the Company's data, by means of hardware or software error detection, monitoring User activity and third party access to the Information and Communications System. Users are thus informed that data is being processed in order to monitor the activity of the Information and Communications System.
The following data, in particular is monitored and stored:
- Data relating to the use of application software, in order to monitor file changes, access and deletions;
- Data relating to inbound and outbound connections to the internal network, messaging and the internet, with a view to detecting the abnormal use of the messaging system, and monitoring attempted intrusions and activities such as visits to websites or downloading.
The Company's IT department is the only recipient of this data, which is deleted six (6) months after it was collected.
9.3. Manual checks
Should the Company's IT department become aware of a malfunction, a person authorised by the Company's management may perform a manual check and verification of any operation carried out by one or more users.
When a user's files are being checked, and unless there is a risk or specific event for the company, which jeopardises the Information and Communications System, the Company's IT department, in accordance with the above-mentioned rules, may only open files identified by the User as personal/private files and stored on the hard disk of the user's computer, in the presence of the user or the duly summoned user.
In accordance of the above-mentioned rules, the Company's IT department may under no circumstances, check the content of messages identified by Users, as being of a personal nature.
9.4. Workstation management
For purposes of IT maintenance, the Company's IT department may remotely access all workstations. This intervention is carried out with the express authorisation of the User.
As a part of the updates and developments in the Information and Communications System, and when no User is connected to his/her work station, the Company's IT department may have to intervene in the technical environment of the workstations.
Article 10 - Providing information to Users
The Information Technology Charter is posted publicly as an appendix to the Company's rules and regulations.
It is individually communicated to each User. It is systematically handed to any new user, who is required to peruse the document and undertake to comply with it. Updates to the Charter may be validated and accepted via the group's Intranet solutions.
The Information Technology Charter and the technical rules and recommendations of the Company's IT department are also available on the Company's intranet: http://intranet.dev.tray-international.com/accept_tc_pdf.php
The Company's IT department is available to Users to provide them with all the necessary information relating to the use of the ICT tools. It periodically informs Users about the technical limitations of the Information and Communications System and the possible threats to its security.
Internal communication actions are periodically organised in order to inform Users about practises as regards the recommended use of the Information and Communications System.
Each User must keep himself/herself informed about security techniques and maintain his/her level of knowledge in keeping with technological developments.
Article 11 - Training of Users
Users are trained to apply the rules of use as provided in the Information Technology Charter. They will find an online-training course on the Company's intranet, regarding the security of the information and communication tool placed at their disposal, and the protection of personal data.
Article 12 - Procedure when a User leaves
When a User leaves, all the information and communication tools that were made available to him/her (computer, telephone, smartphone, tablet, etc.) must be returned to the Company's IT department.
Before doing so, he/she must delete his/her private files and information. If the User wishes to make a copy of professional documents, this has to be authorised by the line manager.
The User's personal accounts and data are systematically deleted after a maximum period of one (1) month after his/her departure.
Article 13 ? Penalties
Non-compliance with the security and confidentiality measures and rules defined by the Information Technology Charter may engage the User's liability and result in warnings, limitations or the suspension of his/her rights to use all or part of the Information and Communications System elements, and/or disciplinary measures proportionate to the seriousness of the infringement identified by the Company, which might even lead to his/her dismissal for serious misconduct.
Once a disciplinary measure is taken against a User, he/she is informed of the reasons motivating such measures, within a short period of time, except in the case of a particular risk or event.
Furthermore, non-compliance with the applicable laws and regulations concerning the security of information systems, incurs the civil or criminal sanctions imposed by the law.
Article 14 - Effective date
The Information Technology Charter, as an addition to Company's rules and regulations, was communicated on the 1st of May 2018, to the Group's executive and operational Committee.
Prior to this, the Information Technology Charter was submitted to the Management Committee for their opinion.
It takes effect as from the 1st of January 2019, either after a one (1) month period or after the completion of the above-mentioned formalities, and as from this date it cancels and replaces, if need be, any document of like nature, which was previously in force.