//
Contact

Our IT charter

OBSAM's business is centered on the accumulation and management of specialized data (references for industry) for the benefit of its customers. It implements an information and communication system necessary for the performance of its missions, by providing its employees with appropriate IT tools. The smooth running of OBSAM's business depends on the appropriate use of available IT resources and compliance with the company's recommendations.

The present charter defines conditions of access and rules for use of IT resources and external resources via OBSAM's communication tools. It also aims to raise user awareness the risks associated with the use of these resources in terms of the integrity and confidentiality of the information processed. These risks require compliance with certain rules of security and good conduct. Carelessness, negligence or malice on the part of a user may lead to serious consequences, incurring civil and/or criminal liability, as well as that of the company.
The implementation of this charter is in line with the Corporate Social Responsibility (CSR) approach adopted by OBSAM for a virtuous and reasoned use of IT resources.
This IT Charter includes an appendix reminding the applicable legal provisions. This IT Charter does not concern the use of IT tools made available by OBSAM to customers.

A few definitions:

  • The term «user» or «employee» refers to any person authorized to access and use OBSAM's IT tools and means of communication: employees, trainees, temporary staff, staff from service providers, occasional visitors, etc.
  • The term «IT department» is used interchangeably with «technical resources» to refer to the department in charge of network operation and security, as well as IT and communications resources.
  • The terms «IT tools» and «communication tools» all cover

Protection of personal data

The French Data Protection Act no. 78-17 of January 6, 1978, amended in 2004, and the General Data Protection Regulation that came into force on May 25, 2018, define the conditions under which personal data may be processed. It gives people affected by processing a right to access and rectify data recorded on their account.
OBSAM has appointed a Data Controller (RT). He or she keeps a register listing all Obsam's personal data processing operations as they are implemented. The Data Processor ensures that a correspondent, designated for each department, carries out personal data management tasks.
The RT ensures that the rights of individuals (right of access, rectification and opposition) are respected. In the event of difficulties encountered in exercising these rights, the persons concerned may refer the matter to the correspondent, or failing this to the RT.

THE SCOPE OF THE CHARTER

The present charter applies to all users of the OBSAM Information and Communication System in the exercise of their professional activities. Private use of these tools is tolerated during breaks.
Generic addresses used simultaneously by several OBSAM employees (contact@obsam.com, support@obsam.com, etc.) may not be used for private purposes. An electronic signature is created for each employee using these addresses. Each employee must conclude any e-mail sent with the corresponding electronic signature.

The charter is available on OBSAM's Agora (general procedure Technical Resources), brought to the attention of all users by memo, and e-mailed to all new arrivals. The availability of OBSAM's personnel is deemed to constitute a reading and a commitment.

An annual awareness-raising session is held on SSI risks, data use and good IT practices.

RULES FOR USING OBSAM'S INFORMATION SYSTEM

Each user has access to the IT tools required for his or her professional activity under the conditions defined by OBSAM.

1. How OBSAM's IT department works

OBSAM ensures the proper operation and security of networks, IT and communication resources through its own technical resources and, if necessary, with the help of an external service provider. Its staff are equipped with the technical tools needed to investigate and control the use of the information systems in place.
They have access to all technical data, but undertake to respect the rules of confidentiality applicable to document content.
They are subject to a duty of confidentiality, and are required to maintain the confidentiality of any data they come into contact with in the course of their duties.

3. Safety rules and best practices


All users undertake to comply with the following safety rules:
Report to OBSAM's IT department any suspected violation or attempted violation of its network account, and in general any malfunction.

  • Never give out your login/password.
  • Never ask an employee for his or her login/password.
  • Don't hide your true identity.
  • Do not usurp the identity of others.
  • Do not modify workstation settings.
  • Do not install unauthorized software.
  • Do not copy, modify or destroy OBSAM's software properties and data sources.
  • Lock your computer as soon as you leave your workstation.
  • Not to access, attempt to access, delete or modify information that does not belong to it.
    - Any copy of data onto an external medium must be approved by the line manager and comply with the rules defined by OBSAM.

It should also be noted that visitors may not access OBSAM's Information System without the company's prior consent.
Consequently, contracts signed between OBSAM and any third party having access to data, computer programs or other means, must include a clause delimiting the obligations to respect the charter to be imposed on themselves, their employees and any subcontractors.

IT RESOURCES

1. Employee arrival/workstation configuration

OBSAM ensures the proper operation and security of networks, IT and communication resources through its own technical resources and, if necessary, with the help of an external service provider. Its staff are equipped with the technical tools needed to investigate and control the use of the information systems in place.
They have access to all technical data, but undertake to respect the rules of confidentiality applicable to document content.
They are subject to a duty of confidentiality, and are required to maintain the confidentiality of any data they come into contact with in the course of their duties.

3. Safety rules and best practices

  • OBSAM provides each user with a workstation equipped with the IT tools required for the performance of his or her duties (see job description). The user's signature on the equipment handover form confirms acceptance of the equipment.
    The user must not :
  • Modify this equipment and its operation, parameterization, and physical or software configuration.
  • Unauthorized connection or disconnection of computer and communications equipment.
  • Move computer equipment (unless it's «nomadic equipment»).
  • Interfere with computer and communications tools.

Any installation of additional software (e.g. for viewing multimedia files) is subject to the agreement of the technical resources manager.

2. Nomadic equipment and procedures specific to lending equipment

Mobile equipment

Nomadic equipment« refers to all mobile technical resources (laptops, portable printers, cell phones or smartphones, CD ROMs, USB sticks, etc.). Whenever technically possible, they must be specially secured, in view of the sensitivity of the documents they may store, notably by encryption. The use of smartphones for automatic e-mail retrieval entails particular risks for the confidentiality of messages, particularly in the event of loss or theft. When these devices are not in use for a few minutes, they must be locked by a suitable means to prevent unauthorized access to the data they contain.

3. Internet

Users may consult websites of any kind that have a direct and necessary link with their professional activity.
However, punctual and reasonable use of websites for personal reasons, whose content is not contrary to the law or public order, and does not jeopardize the company's interests, security or reputation, is permitted. In such cases, improper use may constitute professional misconduct. This private consultation time is tolerated during break periods... The consultation, even involuntary, of malicious sites would be likely to constitute professional misconduct.

4. Using generative artificial intelligence

OBSAM tolerates the use of generative artificial intelligence under the following conditions:

    • only for professional use and in connection with the employee's position; ;
    • with a formal ban on transmitting to the generative artificial intelligence solution:
      • personal data,
      • sensitive information (strategic, commercial, balance sheet data, etc.) concerning the company's business,
      • intellectual property.

5. Electronic messaging

Terms of use

The messaging system made available to users is intended for professional use. Personal use is tolerated as long as it does not affect the agent's work or the security of OBSAM's computer network.

Any message that expressly or clearly states its personal nature will benefit from the right to privacy and secrecy of correspondence. Otherwise, the message is presumed to be professional.

OBSAM will not access files or messages identified as «personal» in the subject line of the agent's e-mail.

The use of e-mail is subject to the rules of use defined by the service provider.

Transferring work-related messages and attachments to personal e-mail accounts is subject to the same rules as copying data to external media.

Agents can consult their e-mail remotely, using a browser (webmail). It is not advisable to save documents from this mailbox on personal equipment during this consultation. If necessary, files copied to the agent's computer should be deleted from the computer as soon as possible.

Mailbox consultation

In the event of an employee's absence and in order not to interrupt the operation of the department, OBSAM's technical resources department may, on an ad hoc basis, forward to management or a department head an electronic message of an exclusively professional nature and identified as such by its subject and/or sender, without the explicit authorization of the recipient or sender of this message (see conditions of use).

Management or the head of department do not have access to the agent's other messages. The agent concerned is informed as soon as possible of the list of messages that have been transferred.

In the event of an agent's prolonged absence (long-term illness), the head of department may ask the IT manager, with the agreement of his or her director, to forward messages received.

Unsolicited e-mail

OBSAM has a tool to combat the spread of unwanted messages (spam). In order not to increase network congestion linked to this phenomenon, users are invited to limit their prior explicit consent to receive commercial messages, newsletters, subscriptions or other, and to subscribe to a limited number of mailing lists, particularly if they are not strictly professional.

6. Phone

OBSAM provides users with fixed and mobile telephones for their professional activities.

Private telephone use is permitted, provided it remains reasonable.

Restrictions on the use of landline telephones by agents have been put in place to take account of their duties. For example, calls are restricted to certain numbers.

OBSAM does not have access to all the numbers called via the automatic exchange set up or via cell phones. However, in the event of manifestly abnormal use, the IT or administrative department, at the request of the line manager, reserves the right to access the complete numbers of individual statements.

7. The use of IT tools by employee representatives

As part of their mandate, full and alternate members of the CSE use the IT tools allocated to them to carry out their professional activities. They have a dedicated e-mail address (cse@obsam.com).

INFORMATION SYSTEM ADMINISTRATION

Various systems are in place to monitor the operation and security of the information and communications system, with access to all technical data while respecting the rules of confidentiality applicable to document content.
They are subject to a duty of confidentiality, and are required to maintain the confidentiality of any data they come into contact with in the course of their duties.

1. Automatic filtering systems

As a preventive measure, automatic filtering systems reduce the flow of information for OBSAM and ensure data security and confidentiality. These include filtering Internet sites, eliminating unsolicited e-mail and blocking certain protocols (peer-to-peer, instant messaging, etc.).

2. Automatic traceability systems

OBSAM's IT department carries out, without warning, the necessary investigations to resolve malfunctions in the information system or any of its components, which jeopardize its operation or integrity.

It relies on log files, which record all connections and attempted connections to the information system. These files contain the following data: dates, workstations and event object.

The IT department is the sole user of this information, which is deleted after three years.

3. Workstation management

For IT maintenance purposes, OBSAM's IT department may remotely access all workstations. Such access is subject to the user's express authorization.

In the context of information system updates and upgrades, and when no user is logged on to his or her workstation, the IT department may need to intervene in the technical environment of workstations. Access to content is forbidden.

REASONED USE OF INFORMATION AND COMMUNICATION TECHNOLOGIES (RSE)

The use of digital technology increases our carbon footprint. OBSAM, as part of its CSR approach, has adopted collective measures such as the use of reconditioned computer equipment, aimed at greater digital sobriety. Obsam invites employees to apply the following non-exhaustive recommendations:

  • put unused equipment on standby or switch it off (in the evening, during long absences, etc.),
  • limit replies to e-mails to the strict minimum (thanks, etc.),
  • limit the size of attachments (prefer pdf),
  • limit high-consumption digital uses (high-quality videos, etc.),
  • limit archiving to what is strictly necessary: e-mails, files...

PROCEDURE APPLICABLE WHEN THE USER LEAVES

On departure, the user must return the equipment to the IT department.

Private files and data must be deleted beforehand. All copies of business documents must be authorized by the department head.

The user's accounts and personal data are, in any case, deleted within a maximum period of one month after his departure.

In the case of generic e-mail addresses, all exchanges will be available to subsequent users. Departing users must therefore ensure that they have deleted all personal exchanges, and that all exchanges have been properly filed in the corresponding folders.

RESPONSIBILITIES - PENALTIES

Failure to comply with the security and confidentiality rules and measures defined in this charter may result in the user being held liable and subject to sanctions.
  • Internal sanctions may be imposed:
  • In the first instance, a call to order from the user's department head or the person in charge of technical resources; ;
  • In the second stage, and in the event of a repeat offence, after consultation with the technical resources manager and the agent's line manager, the agent is summoned by management, which may lead to disciplinary action.
Failure to comply with applicable laws and regulations on information systems security (see attached list of regulations) may result in legal penalties.

ENTRY INTO FORCE OF THE CHARTER

The present charter has been adopted after informing OBSAM employees. It is applicable from January 2, 2025.

APPLICABLE LEGAL PROVISIONS

Directive 95/46/EC of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Law no. 78-17 of January 6, 1978 on data processing, data files and individual liberties, amended by law no. 2004-801 of August 6, 2004. Penal provisions :
  • Penal Code (legislative part): art 226-16 to 226-24
  • Penal Code (regulatory part): art R. 625-10 to R. 625-13
Law no. 88-19 of January 5, 1988 on computer fraud, known as the Godfrain Law. Penal provisions: articles 323-1 to 323-3 of the French Penal Code. Law n°94-361 of May 10, 1994 on the intellectual property of software. Law n°2004-575 of June 21, 2004 on confidence in the digital economy (LCEN). Penal provision: art L.335-2 of the French Penal Code.