Personal Data Protection

Dassault Systèmes has always considered the protection of personal data as a major concern for its customers and partners and is aware of the responsibility in the processing of such data. Since the introduction of the European Union’s General Data Protection Regulation (GDPR) as well as other data protection laws, Dassault Systèmes has continuously reasserted its data privacy commitment by improving its solutions through new capabilities that enable relevant stakeholders to manage their data privacy compliance programs.

 

Dassault Systèmes values the confidence of its customers, users, staff, and global ecosystem. Therefore, any personal data collected, used, disclosed, and transferred is managed in a manner consistent with the laws, regulations, and practices of the countries in which Dassault Systèmes does business.

How has Dassault Systèmes addressed data privacy compliance?

To support this compliance, Dassault Systèmes has implemented a Data Privacy Compliance Program within the Dassault Systèmes Group. The Program is based on the following main principles:

  • Appointment of a Group Data Protection Officer and establishment of a cross‑functional Data Privacy team that oversees both internal and stakeholders’ compliance requirements. This team is charged with::
    • Managing Dassault Systèmes’ internal compliance with regards to data protection laws and privacy policies;
    • Continuously identifying and monitoring enhancements to Dassault Systèmes’ solutions, websites and communications to enable stakeholders’ compliance to data privacy laws, including, but not limited to, GDPR.
  • Deployment of the Dassault Systèmes’ Global Training Plan on data privacy to ensure a high level of awareness of Dassault Systèmes’ employees. As such, employees must agree to follow our Code of Business Conduct, IT charter and data protection policies and must follow mandatory ethics and compliance trainings addressing security and privacy, including:
    • Preventing threats to data security.
    • Securing physical data and workstations; clean desk policy.
    • Personal data protection and confidentiality.
    • Ethical business behavior; anti-corruption and competition law principles.
    • Incident management; recognizing and reporting potential threats. We continually foster security and privacy awareness throughout the organization.
  • Implementation of technical and organizational measures to protect personal data. These measures are updated from time to time to reflect evolutions according to Dassault Systèmes standards. Dassault Systèmes is especially certified ISO 27001:2017 (Information security management) and ISO 27701:2019 (Personal Data Protection management) for the 3DEXPERIENCE platform SaaS, when acting as controller for handling of personal data provided in this context and processor for personal data under the control of a customer and processed in this environment. Other Cloud Offerings are also certified. For more information, please refer to Dassault Systèmes’ Annual Report.

What is the responsibility of a data controller versus a data processor?

In the course of its business activities, Dassault Systèmes is acting as data controller or data processor under certain applicable data privacy legislations. Designation of an entity as controller or processor entails  different obligations.

Dassault Systèmes is acting as data controller when processing personal data in its internal tools (e.g. financial systems) for its own needs.

On the contrary, Dassault Systèmes is acting as data processor when it provides certain Dassault Systèmes’ solutions such as the 3DEXPERIENCE Platform on the Cloud and services to an enterprise for the personal data it has been asked to process and store. Dassault Systèmes’ Customers are considered as acting as data controller and, in that respect are ultimately responsible for determining how they will comply with the applicable data protection laws based on their specific business requirements when using Dassault Systèmes’ solutions. Consequently, customers need to determine when personal data should be manipulated (deleted or modified per the applicable data protection laws) or when it should be retained for record keeping or regulatory, industry or statutory purposes. It is the responsibility of Dassault Systèmes to release its solutions with functionalities that enable customers to be compliant with applicable data protection legislation. That is why, Dassault Systèmes’ solutions are designed according to the concepts of “Privacy by Design” and “Privacy by Default” that aim to ensure that privacy is integrated into applications from the design stage.