Lyreco Privacy Policy

GDPR privacy notice

At Lyreco, we believe privacy is important. That's why we have established a comprehensive privacy program, including a global privacy office and a chief privacy officer, designed to help us protect privacy rights.

To protect your privacy, Lyreco will ensure all Personal Data is handled in a secure way and used only as outlined in the sections below. This privacy policy informs you what Personal Data we collect, how we use it and the measures we take to keep it safe.

This policy is our commitment to privacy concerning the processing of Personal Data related to

Customers. (hereinafter referred as “Privacy Policy”). In this Privacy Policy, “you”, “yours”, refer to the Customer Data Subjects whose Personal Data are processed by or on behalf of Lyreco and “we”, “our”, “us”, refer to Lyreco.

LYRECO, a simplified joint stock company organized and existing under the laws of France, whose

registered offices are rue du 19 mars 1962, 59770 MARLY (France) and all its Affiliated Companies

(hereinafter referred as “Lyreco”) - is a company specialized in workplace solutions, including notábly office supplies, personal protective equipment and packaging distribution. Lyreco is exclusively supplying to other companies in business-to-business relationships (hereinafter referred individually as “Customer” and collectively as “Customers”).

1 Definitions

1.1 “Affiliated Companies” means any companies being controlled by, or under common control with Lyreco.

1.2 “Applicable Data Protection Law(s)” means the relevant local personal data protection, data security, data retention, and data privacy laws and regulations to which the Personal Data are subject, including the GDPR.

1.3 “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

1.4 “Customer Data Subjects” means any employee, consultant, agent, or any other authorized natural person to place purchase order towards Lyreco on behalf of the Customer.

1.5 “Customer Personal Data” means Personal Data of the Customer Data Subjects processed by Lyreco as a Controller while supplying its Services to the Customer.

1.6 “General Data Protection Regulation” or “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

1.7 “Personal Data” means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.8 “process,” “processes,” “processing,” and “processed” means any operation or set of operations which is performed on Personal Data or sets of Personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1.9 “Service” means the supply and sale of products and all associated services proposed globally or at local level by Lyreco

1.10 “Third Party(ies)” means Lyreco authorized auditors, accountants, contractors, agents, and third party service providers that process Personal Data.

2 Scope
This Privacy Policy only applies to Customer Personal Data processed by or on behalf of Lyreco.
Lyreco processes Personal Data fairly and lawfully in accordance with Applicable Data Protection
Laws.
In the event of any conflict between this Privacy Policy and Applicable Data Protection Laws, the
provisions of Applicable Data Protection Laws shall prevail.

What Personal Data do we collect and use?
In the course of supplying its Services to Customers, Lyreco will need to process Customer Personal
Data. Indeed the Customer Data Subjects are the sole end-users of the Lyreco’s website acting on behalf of the Customers, which are in business relationships with Lyreco. The Customer Personal Data to be processed through the website are mainly and basically the Personal Data required in order for Lyreco to be able to supply the Services to the Customers, that is to say mainly to place and follow-up a purchase order placed on the website.
Lyreco processes the following categories of Customer Personal Data :
- Your name, telephone number and email
- Company name, ID number and address
- Credit card information
- Location information (i.e.: IP address)
For the sake of clarity, mandatory information required in online forms are identified by an asterix
field.

What do we use that information for ?
The GDPR allows us to process Personal Data, so long as we have a basis or “ground” under the law
to do so. It also requires us to tell you what those grounds are. As a result, when we process your
Personal Data we will rely on one of the following processing conditions:

  • Performance of a contract: this is when the processing of your personal information is

necessary to perform our obligations under a contract;

  • Legal obligation: this is when we are required to process your personal information to comply with a legal obligation, such as keeping records for tax purposes or providing information to a public body or law enforcement agency;
  • Legitimate interests: we will process information about you where it is in our legitimate interest in running a lawful business to do so to further that business, so long as it doesn’t outweigh your interests;
  • Your consent. In some cases, we will ask you for specific permission to process some of your personal information, and we will only process your Personal Data in this way if you agree to us doing so. This will be the case when we ask you if you wish to receive a newsletter, or information about our products or services. You may withdraw your consent at any time by contacting us according to the section below in this document.

Your Personal Data are used by Lyreco to:
- Create a Customer Account on our website
- Answer Customer’s enquiries
- Perform Customer management operations regarding orders, deliveries, invoices, accounting
(management of accounts receivable),
- Conduct marketing campaigns and inform Customers about our products and services,
- Monitor our relationship with our Customers conduct Customer satisfaction surveys, conduct
sales statistics,
- Manage unpaid invoices recovery and disputes with our Customers,
- Monitor Customer’s experience on our website
We also use Cookies in order to enhance your customer experience on our website, please refer to the cookie policy section below in this document.

For How long do we keep your Personal Data ?
We will keep your Personal Data during the term of our commercial relationship and up to 3 years
after your last contact or order with Lyreco, unless applicable legislation prevents us from doing so,
notably for archiving purposes. For example, Customer Personal Data mentioned in our invoices
will be kept for a longer period, in accordance with local applicable regulations.

With whom do we share your information ?
Your Personal Data are accessed and processed by authorized members of the commercial, financial
and support departments of Lyreco, for the purposes described above.
Lyreco do not share Personal Data with unaffiliated third parties, except as necessary for its legitimate
professional and business needs, to carry out your requests, and/or as required or permitted by law.
This would include:
Third Party Providers Lyreco may grant access to Customer Personal Data:

  • To its service providers or contractors: Lyreco transfer Personal Data to its third party service providers, such as (IT) systems providers, hosting providers, consultants and other goods and services providers or contractors. Lyreco work with such providers so that they can process your Personal Data on its behalf. Lyreco will only transfer Personal Data to them when they meet Lyreco strict standards on the processing of data and security. Lyreco only share Personal Data in order to provide its Services to Customers.
  • When you enter into transactions with others or make payments on Lyreco's website, Lyreco will share transaction information with those third parties necessary to complete the transaction. We will require those third parties to respect your privacy, and adequately protect your Personal Data.


Courts, tribunals, law enforcement or regulatory bodies: Lyreco reserves the right to share
your information to respond to duly authorized information requests of governmental authorities
or where required by law. In exceptionally rare circumstances where national, state or company
security is at issue (such as terrorist attacks), Lyreco reserves the right to share our entire database
of Customers and Customer Personal Data with appropriate governmental authorities.
Internal auditors, professional accountants, legal advisers may access to documents, such as
invoices, which contain Customer Personal Data, for the purpose of their mission.
• Lyreco may transfer your Personal Data to a potential buyer, transferee, merger partner or
seller and their advisers
in connection with an actual or potential transfer or merger of part or all
of Lyreco’s business or assets, or any associated rights or interests, or to acquire a business or
enter into a merger with it.

Lyreco never sells your Personal Data to third parties, such as marketers.
Lyreco do not provide any Personal Data to "people finder," "public directory" or "white pages" sites.

What about the localization and transfer of your Personal Data ?
Lyreco transmit your Personal Data only within countries of the European Economic Area (EEA) and/or to countries that provide adequate protection as confirmed by the European Commission except under the conditions below. If the processing involves a transfer of your Personal Data to a country outside the European Union and which does not provide adequate protection as confirmed by the European Commission, Lyreco undertakes to secure the transfer by one of the following mechanisms:

  • Standard Contractual Clauses approved by the European Commission (such as Standard Contractual Clauses for Data Controllers 2004/915/EC or Standard Contractual Clauses for Data Processors 2010/87/EU or any subsequent version);
  • Binding Corporate Rules: in case the Third Parties concerned have adopted EU Binding Corporate Rules that cover the Personal Data that Third Parties Process.
  • Any other mechanism officially recognized by Applicable Data Protection Laws as ensuring an adequate level of protection of Personal Data.

Lyreco processes and shall cause Third Parties to process Personal Data in adequate jurisdictions as
defined in Applicable Data Protection Law(s). These jurisdictions include countries of the European
Economic Area and countries recognized as providing an adequate level of protection by the European Commission (For more information, see European Commission, "Commission Decisions on the Adequacy of the Protection of Personal Data in Third Countries.")

How do we secure the processing of your Personal Data ?
Lyreco implements commercially reasonable technical and organizational security controls to protect
your Personal Data against theft, loss or misuse. Your Personal Data will be stored in a secure
operating environment that is not accessible without authorization. Lyreco applies mitigation measures following periodic risk assessments to ensure an adequate level of protection of your Personal Data.

When you enter sensitive information (such as credit card numbers and passwords):

  • We encrypt that information to protect against eavesdropping using SSL.
  • This data is further protected by encryption in storage.
  • We also use measures to enhance security, such as analyzing account behavior for fraudulent or otherwise anomalous behavior.
  • We may limit use of site features in response to possible signs of abuse, may remove inappropriate content or links to illegal content, and may suspend or disable accounts for violations of our terms and conditions.

What are your rights concerning our processing(s) of your Personal Data ?
You have the following rights concerning the processing(s) of your Personal Data made by or on behalf of Lyreco :

  • Access

In addition to the information that is available on Lyreco's website, you have the right to access the
Personal Data that Lyreco holds about you, all subject to the exemptions as contained in Applicable
Data Protection Laws. If you request the data, then Lyreco will assist you. Your identity will need to
be confirmed before you are provided with access to your Personal Data. Generally, Lyreco does not
charge for providing information, but if the request is manifestly unfounded or excessive, in particular because of their repetitive character, Lyreco reserves the right to charge a fee for such requests.
We ask you to submit your request in writing. An access request form is available on Lyreco's website and in all locations for you to fill out. If you choose to write a letter rather than fill out a form, please
include the following:

  1. Your full mailing address
  2. Your daytime telephone number
  3. Names of specific files or types of records to which you request access, including specific dates of those records, where possible

Please provide as much detail as possible.

All formal access requests will be directed to the data privacy officer, who will then review each
request to determine whether Lyreco will disclose the requested information. The data privacy officer
can be reached at the directly at the following address : privacy.office@lyreco.com.

  • Modification

If you believe there is a mistake in your Personal Data, you have a right to ask for the information to
be corrected. We may ask you to provide documentation to show where Lyreco's files are incorrect.
We will amend the erroneous data within a month and will notify you once the correction you have
requested has been completed. GDPR provides you with the right to request correction of your
Personal Data held by Lyreco if you believe there is an error or omission. You are entitled to attach a
statement of disagreement with the information, reflecting any correction you requested, but which
was not made by Lyreco Lyreco will notify any person or organization to which your Personal Data
was disclosed within the year as from your requested correction and advise them about the correction or statement of disagreement.

  • Portability

You may obtain and reuse the Personal Data held by Lyreco for your own purposes across different
services. Lyreco allows you to move, copy or transfer Personal Data easily from one IT environment
to another in a safe and secure way, without hindrance to usability. This right applies to your Personal Data held by Lyreco, where the processing was automated and used in the light of Lyreco Services provision within the contract the Customer has with Lyreco, or where such processing was based on the consent you gave Lyreco for it.

You may Log in to Lyreco's online web portal and download the information provided in the "Export"
section of the portal.

  • Deletion

Lyreco does not store Personal Data without a predefined and documented purpose. We follow laws
that require us to delete Personal Data if the reason for its collection and storage no longer exists. We believe this fulfills the requirements of the privacy principle of "the right to be forgotten."
Where the Personal Data that Lyreco holds is based on the execution of a contract, and you wish to be removed from our systems prior to the retention period indicated in the "How Long Do We Use
Personal Data" section, please contact our Data Privacy point of contact at the following address :
privacy.office@lyreco.com.

f you have registered your personal details with us, you can deactivate your account at any time. For
safety reasons, we have implemented a seven-day grace period after your request for the account to be deleted; however, logging on to your account during the grace period will reactivate the account. To prevent impersonation, once your account is deactivated and after expiration of the grace period, your account will be irrevocably suspended, ensuring that nobody can use that account identifier again.

  • Object to processing

You have the right to object to us processing your Personal Data if we are not entitled to use it any
more. In this case, Lyreco shall no longer process the Personal Data unless Lyreco demonstrates
compelling legitimate grounds for the processing which override your interests, rights and freedoms of the or for the establishment, exercise or defense of legal claims.

How can you contact, raise questions and/or complaints to Lyreco ?

To exercise your rights, express a concern, raise a question, make a complaint, or to obtain additional
information about the processing of your Personal Data by Lyreco, you may send an e-mail to the
following address: privacy.office@lyreco.com or contact Lyreco customer support accompanied by a
valid proof of ID.

Lyreco undertakes to respond to your request within one month and up to 3 months depending on the complexity of the request and/or of the number of requests received by the company.

In case of dispute, you may lodge a complaint with the local Data Privacy Regulatory Authority (i.e
For French Customers, the CNIL).


How do we update/amend this Privacy Policy ?
Lyreco may occasionally update or modify this Privacy Policy.
Lyreco will notify you by placing a prominent notice on the home page of its website or, if legally
required, by directly sending you a notification. Lyreco encourages you to periodically review this
Privacy Policy to stay informed about how Lyreco is helping to protect the Customer Personal Data
collected. Your continued use of the Lyreco Services constitutes your agreement to this Privacy Policy
and any updates.

What is our Cookie Policy ?

Definition :

Cookies, or other similar trackers, are files used by a server to interact with the browser (herein
referred as “Cookies”). Cookies are used to send status information when a user visits a site. Status
information can be, for example, a session ID, language, expiration date, response domain, and so on. Cookies make it possible to store status information during their validity period when a browser
accesses the various pages of a website or when this browser returns to the said site later.

Retention :

There are different types of Cookies used by Lyreco:
- session cookies that disappear as soon as you leave the browser or the site;
- permanent cookies such as analytic cookies that remain on your device until they expire (up to
13 months) or until you delete them using your browser's features.


What about google analytics cookies and usage on our website ?

Lyreco uses Google Analytics. More information about how Google Analytics is used by Lyreco can
be found here: http://www.google.com/analytics/learn/privacy.html
To provide website visitors with more choice on how their data is collected by Google Analytics,
Google have developed the Google Analytics Opt-out Browser Add-on. The add-on communicates
with the Google Analytics JavaScript (ga.js) to indicate that information about the website visit should not be sent to Google Analytics. The Google Analytics Opt-out Browser Add-on does not prevent information from being sent to the website itself or to other web analytics services.