This page describes how Cegid processes the personal data collected from data subjects (clients, prospects…).

If you have any questions or concerns regarding this page, please contact

1. Introduction

The aim of this privacy policy is to introduce the rules related to the protection of personal data that Cegid Group (hereinafter « Cegid ») commits to respect as data controller and data processor. These rules were drafted following the application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, hereinafter « GDPR ») on the protection of individuals with regards to processing of personal data and on the free movement of such data, and repealing Directive 95/46/CE.

This document is likely to evolve, where necessary in order to implement the obligations imposed by the legislation on personal data protection.
We encourage you to periodically review this privacy policy on our corporate website:

The notions concerning personal data protection used in this document have the meaning given in the GDPR, notably in accordance with Article 4 of the GDPR.


2. General principles on personal data protection

When Cegid acts as data controller

According to article 5 of the GDPR, Cegid ensures that personal data are:

  • processed fairly and lawfully;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • adequate, relevant and not excessive in relation to the purposes for which they are collected and processed;
  • accurate and, where necessary, kept up to date;
  • kept for no longer than is necessary for the purposes for which the data were collected;
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

When Cegid acts as data processor

According to article 28 of the GDPR, Cegid ensures that:

  • the purposes of the processing of data are described in the contract signed between Cegid and the client;
  • the client’s personal data are processed for the purpose for which they were originally collected and is solely acting on its instructions in accordance with the terms of the contract;
  • the deletion of personal data is carried on under the conditions laid down in the contract, unless the applicable law requires the preservation of personal data.


3. Purpose and legal basis of personal data processing

When Cegid acts as data controller

For internal needs, Cegid collects personal data for purposes such as:

  • management of customer and prospects contact (send marketing or product information, respond to customer requests, assess the needs of your business to determine suitable products…);
  • management of commercial contracts (fulfill order, billing, debt covering…);
  • management of Cegid’s staff, recruitment and careers (evaluate and contact the candidate…);
  • creation and administration of user accounts;
  • development and management of services to which the client subscribed (records of call(s) to support service…).

Depending on these different purposes, Cegid ensures that at least one of the following applies:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering a contract;
  • processing is necessary for compliance with a legal obligation to which Cegid is subject;
  • processing is necessary in order to protect the vital interests of a natural person;
  • processing is necessary for the purposes of the legitimate interests pursued by Cegid except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject.

When Cegid acts as data processor

It may be necessary for Cegid to access and process personal data provided by its clients within the framework of completion of offers and services to which the customer subscribes.

The access and processing are organized by a contract containing specific clauses for data protection signed between Cegid and the client.

Cegid processes personal data only on behalf of the client in accordance with the provisions of the contract.


4. Security and notification of personal data breaches

Cegid has implemented technical and organizational measures to ensure a level of security appropriate to the risks.

Cegid’s Information Security Management Systemis certified ISO 27001 on the following scope: “Application hosting services in a Cloud environment, containing data provided by the clients”.

This certification ensures the implementation of a certified security policy applied to the processes and workflow of Cegid during the duration of the SaaS service for the client.

All employees of Cegid are subject to an IT security charter annexed to the internal regulation to ensure an appropriate level of security awareness.

According to articles 33 and 34 of the GDPR, personal data breaches shall be notified:

  • when Cegid acts as data controller, to the French supervisory authority (CNIL) and if necessary, to data subjects affected by the breach;
  • when Cegid acts as data processor, to its clients affected by the breach in accordance with the contract signed between Cegid and its clients.


5. Rights of the data subject

When Cegid acts as data controller

Under the conditions set forth in articles 15 and 22 of the GDPR, data subjects have the right to:

  • access their personal data processed by Cegid;
  • request the rectification, erasure or restriction of processing of personal data carried out by Cegid;
  • in certain circumstances, object to the processing of their personal data;
  • request the portability of personal data;
  • withdraw their consent when it is the legal basis of the processing.

All requests related to those rights shall be made by filling out the form available on the following website :

Cegid reserves the right to ask for clarifications in relation to any request and to justify the identity of the requester.

You may sign-up to receive newsletters or other communications from Cegid. If you would like to discontinue receiving this information, you may update your email preferences by using the “Unsubscribe” link found in emails Cegid sends to you.

In any event, Cegid actively recommends contacting the competent national supervisory authority for more information about the legislation on data protection, the rights of data subjects and the possibility of lodging a complaint with this authority.

When Cegid acts as data processor

In the event Cegid receives a request from the data subject as part of the realization of the contract between Cegid and the client, Cegid will communicate this request to the client at the earliest from its receipt and, taking into account the nature of the processing and the terms of the contract, will assist the client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of its obligation to respond to requests for exercising the data subject’s rights.

The client remains nevertheless responsible for replying to the data subject concerned.


6. Information to be given to the data subject

When Cegid acts as data controller

When collecting personal data, Cegid undertakes to provide data subjects with at least the following information, to the extent possible and regardless of the processing carried out:

  • the contact information of the controller such as company name and email address and its Data Protection Officer’s contact;
  • the purposes of the processing and its legal basis;
  • the recipients;
  • transfers of data to third countries;
  • the length of time the data are to be stored;
  • the possibility to request the exercise of rights which can be applied pursuant to the applicable legislation;
  • the right to submit a complaint with the supervisory authority

When Cegid acts as data processor

Pursuant to article 13 of the GDPR, the controller has the responsibility to inform data subjects.

In accordance with the terms of the contract, Cegid provides its clients, acting as data controllers, with any information that might help them to enforce article 13 of the GDPR.

Cegid may receive personal data (name, company, phone, email address) from external sources like leads provider.

Such data is processed only to:

  • update, develop and analyze its contacts (clients/prospects) database;
  • generate leads;

provide information relating to Cegid products and services that may be of interest to such contact.


7. Transferts outside the European Union

Personal data may be processed outside European Union. As a consequence, in application of the applicable law, Cegid cannot transfer personal data, without implementing the appropriate safeguards according to article 46 of the GDPR, outside:

  • the European Union, or
  • the European Economic Area, or
  • a third country recognized by the European Commission as ensuring an adequate level of protection in application of the Applicable Law, including the companies established in the United States of America with “Privacy Shield” certification or, another privacy framework.


8. Data recipients

Cegid may share personal data with third parties under the conditions of this privacy policy and/or the applicable agreement.

For more information about the recipients, please contact

Services provider

Cegid may share personal data with third parties who provide the services:

  • On Cegid’s behalf to help with its business activities (consulting, networking infrastructure services, subcontractors…) in application of the client agreement;
  • To help to manage contractual obligations (debts recovering…);
  • To send marketing communication on behalf of Cegid.

Commercial or distributor Cegid partners  

Cegid has developed a partner network (distributor, software provider…) for several of its services and products in order to help Cegid to deliver and develop its products.

Depending on the product that is interesting or may be interesting for a contact, Cegid may share personal data with its appropriate partner.

Subsidiaries of Cegid Group

If it is necessary, in case of a signature of an agreement, an application for a job position in one of the subsidiaries..), Cegid may share personal data with the subsidiaries of Cegid Group for purposes that are described in the privacy policy.

Public authorities

In certain situations, Cegid may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Cegid may also disclose your personal information as required by law, such as to comply with a subpoena or other legal process, when Cegid believes in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a legal request.


9. Cooperation of Cegid with its clients and with the supervisory authority

According to article 28 of the GDPR and its contractual engagements, Cegid can cooperate with its clients in order to assist them to comply with their legal obligations pursuant to articles 32 to 36 of the GDPR.

Cegid can cooperate with the French supervisory authority (CNIL) where necessary and to consider its recommendations.


10. Privacy by design regarding products and services

If Cegid plans to develop a new service or offer, Cegid, as software provider, will make every effort to introduce from the beginning of the project the principles for the protection of personal data (“privacy by design”) develop functionalities and specific means into its products in order to help its clients to comply with the GDPR.


11. Cegid staff awareness

All new Cegid employees must follow an awareness training concerning personal data protection.

More generally, Cegid will make every effort to offer its employees regular awareness raising regarding personal data protection.

Awareness raising or more specific trainings may be conducted for employees working on a regular basis with personal data.


12. Governance of personal data protection

To have optimum control of personal data protection, Cegid has a dedicated governance.

A Data Protection Officer (DPO), the overseer of the governance of personal data protection, was named in May 2018, and declared to the French supervisory authority (CNIL).

A strategic committee transversally supervises all the activities of Cegid with the support of an operational committee composed of the DPO and contact points within different departments of Cegid.


13. Records of processing activities

Pursuant to article 30 of the GDPR, Cegid maintains two records of personal data processing:

  • a record describing the processing carried out as data controller;
  • a record describing the processing carried out on behalf and on documented instructions of its clients acting as data controllers.

These records are made available to the CNIL upon request.


14. Contractual policy

Cegid has considered the new mandatory contractual stipulations according to article 28 of the GDPR in all contracts concerned.

Therefore, specific contractual clauses on data protection and in compliance with the applicable legislation have been introduced to:

  • client contracts (GTC /GTU);
  • contracts between Cegid and its own data processors.


15 Contact

If you have any inquiries regarding this privacy policy, please send an e-mail to the following address:


Effective Date: September 1st 2019

This Privacy Policy applies to HR & Talent Management Solution business unit and service, owned and operated by Cegid Corporation (collectively, “Cegid”, “We”, “Us”, or “Our”) in the U.S.A. It excludes the Retail business. This privacy policy describes how Cegid collects, uses, shares and secures the personal information you provide. It also describes the choices available to you regarding the use of, your access to, and how to update and correct your personal information.


16.1. Privacy Shield

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

Cegid (HR & Talent Management Solution business unit) participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We are committed to subjecting all personal data received from European Union (EU) member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view our certification, please visit the U.S. Department of Commerce’s Privacy Shield List.

Cegid is responsible for the processing of personal data it receives, under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Cegid complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions.

With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Cegid is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at

Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.


16.2 External sites

This website includes links to other websites whose privacy practices may differ from those of Cegid. If you submit personal information to any of those websites, your information is governed by their privacy policies. Cegid encourages you to carefully read the privacy policy of any website you visit.


16.3 Contact information

If you have any questions or concerns regarding this privacy policy, the practices of this site or your dealings with this site, please contact us using the information below:

Cegid Corporation 1270 Avenue of the Americas – Suite 807 New York, NY 10020

T: +1 800.413.3521

In order to provide the required service and manage the commercial relationship with its clients, Cegid SAS, acting as data controller, located at 52 quai Paul Sedallian, 69009 Lyon (France), collects and processes the following personal data: surname, name, e-mail address, telephone number, position and company name.

This personal data is processed by Cegid SAS for the purposes of commercial relationship management, for commercial communications from Cegid and providing the appropriate service or product.

Cegid may use third parties for purposes like debts recovering and commercial communication on its behalf.

For more information about Cegid partners and/or processor, please contact

You can exercise your rights in accordance with this policy (article 5).

Depending on the nature of the form, Cegid SAS, as data controller, located at 52 quai Paul Sedallian, 69009 Lyon (France), may collect the following personal data: Surname, name, e-mail address, telephone number, position and company name.

This personal data is processed by Cegid SAS for the purposes of commercial relationship, and customer and prospects database management, for commercial communications and production of statistics.

Cegid SAS’s subsidiaries and partners may be the recipients of those personal data for the purposes described above. Cegid’s partners could be a distributor of Cegid products that could be of interest for a prospect or a client of Cegid.

Cegid SAS, its subsidiaries and partners may transfer those data to third countries if it is necessary for the purposes . You can contact Cegid for more information on this matter.

These data will only be stored for the necessary period of time to accomplish the objects of the processing and you can exercise your rights in accordance with this policy (article 5).

In order to provide the required service, Cegid SAS, acting as data controller, located at 52 quai Paul Sedallian, 69009 Lyon (France), collects and processes the following personal data: surname, name, e-mail address, telephone number, position, company.

This personal data is processed by Cegid SAS for the purposes of user account management and communication.

In addition, for “Portail Cegid” product only, such personal data is also processed by Cegid SAS for the purposes of commercial relationship management and for commercial communications from Cegid and/or its commercial partners. Such commercial partners are presented during the use of the product.

In the case of contractual relationship between Cegid’s client and a third party like a distributor or a software provider partner, such third party may process the same personal data for the same purposes. In this case, processing conditions are defined by such third party.

The activities on the platform (connection and use) are also registered by Cegid SAS (log). These data are registered in order to ensure the traceability and security of the data and they are stored for a maximum period of one year.

You can exercise your rights in accordance with this policy (article 5).

The Web servers of Cegid Group websites automatically collect from the users of Cegid group sites (hereinafter referred to as “the sites”), the information relating to the use of the sites (as well as certain other information such as browser type and the operating system or IP addresses).
Cegid group websites may use cookies, small text files sent and stored on your computer that allow web servers to recognize users’ habits, facilitate their access to Cegid group sites, and allow the sites to compile global data that will improve the sites and their content.Cookies do not damage the computers or files. The cookies themselves cannot be used to discover the identity of the user.

The law states that we may only store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies, we need your permission.

This site uses different types of cookies. Some cookies are placed by third-party services that appear on our pages.
At any time, you may change or withdraw your consent on our Privacy Policy page.
Your consent applies to the following area:

How to manage your cookies on your browser?

You have several options to delete the cookies.

Indeed, if most browsers are set by default and accept the installation of cookies, you have the option, if you wish, to choose to accept all the cookies, or reject them systematically or choose the ones you accept according to the issuer.
You can also set your browser to accept or refuse cookies on a case-by-case basis prior to their installation. You can also regularly delete cookies from your device via your browser.

For the management of cookies and your choices, the configuration of each browser is different. It is described in the help menu of your browser, which will allow you to know how to change your configuration on cookies.

However, if you set your browser to refuse the cookies or refuse the installation of a cookie, such deactivation could prevent the use of certain features of the Cegid group sites or prevent the access certain services, for which we cannot be held responsible.

We thank the users of the site to inform us of any omissions, errors, or corrections, by using our contact form.

Data subject’s rights

In accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (« GDPR »), you have the right of access, rectification, data portability, restriction of processing, object and to erasure (“right to be forgotten”) concerning your personal data processing by Cegid.

To exercise your right, please complete the following form.

To lodge a complaint, please visit the website of your national supervisory authority