SesamEO® Service Data Processing Agreement & Cookies Policy
This policy was last reviewed and updated: 13th March 2025.
SesamEO® Service Data Processing Agreement
Important notice: This Data Processing Agreement (DPA) shall be read in conjunction with our cookies policy (see specific section at the end of this document) and the Terms of SesamEO® Service Agreement.
GAEL Systems S.A.S., with registered office at 25 rue Alfred Nobel, 77420 Champs-sur-Marne (France) (“GAEL Systems” or the “Data Controller”), which can be contacted at the followipport@deltatwin.eu acting in its capacity of data controller is committed to protecting and respecting your privacy.
This Data Processing Agreement (DPA) provides information to you about the basis on which any personal data we collect from you, or that you provide to us, will be processed by us if you are a customer of the SesamEO® Service (the “Service”) - as defined in the Terms of SesamEO® Service Agreement.
The Service is provided through the platform.destine.eu (the “Site”). The Site is provided by Serco Italia S.p.A with registered office at viale dell’Astronomia 13, ng email su Cap 00144 (Rome, Italy).
This DPA shall be read in conjunction with the Privacy policies of the platforms where the Service is provided, in particular:
In this DPA, the terms “we”, “our”, and “us” are used to refer to the Data Controller responsible for your personal information.
We will collect and process the following data about you from your use of our Site:
Since we are currently offering a first version of SesamEO® through the DestinE Platform site, provided and managed by our partner Serco Italia S.p.A, we do not collect any data from you, except for the data listed at the end of this document (cookie list). Our partner Serco Italia S.p.A collects data about you (see their DPA here: https://platform.destine.eu/privacy-policies/) and may transfer some data from you to us only for technical and support reasons.
We use information held about you for the following purposes:
(the purposes from a) to b) are jointly defined as the "Contractual Purposes")
(the purposes of letter c) above are jointly referred to as "Legitimate Interest Purposes")
(the purposes of letters e) and f) above are jointly referred to as "Marketing Purposes").
Note: At this time, we are not in the process of implementing any of the marketing purposes.
Data protection laws require that we meet certain conditions before we are allowed to use your data in the manner described in this DPA. We take our responsibilities under data protection laws extremely seriously, including meeting these conditions.
The processing of your personal data is necessary with regard to the Contractual Purposes as it is essential:
Failure to provide the data for the above purposes will unfortunately mean we cannot provide our services to you, as to allow you to use our Service would mean we would be in breach of our legal obligations.
The processing of your personal data with regard to the Legitimate Interest Purposes of Section B.2 is carried out in compliance with article 6, letter f) https://gdpr-info.eu/art-6-gdpr/ of the EU General Data Protection Regulation 2016/679 (the “European Privacy Regulation”), for the pursuit of GAEL Systems’ legitimate interest to the detection of potential frauds, the recovery of debts towards to company and the performance of the economic activities referred therein, which is adequately balanced with your interest since the data processing is performed within the limits strictly necessary to their performance.
This data processing activity with regard to the Legitimate Interest Purposes is not mandatory and you can object to the data processing at any time through the modalities as per this DPA.
Finally, the data processing with regard to the Marketing Purposes is based on your prior consent. Such data processing is not mandatory however should you refuse to provide the relevant consent you will not receive marketing communications as per Section B.2. In any case, you can withdraw your consents at any time through the modalities as per this DPA.
Note: At this time, we are not in the process of implementing any of the marketing purposes.
Your personal data will be processed both electronically and/or manually, in any case in such a way as to guarantee the security, protection and confidentiality of the data, thanks to appropriate administrative, technical, personnel and physical measures against loss, theft and unauthorized use, disclosure or modification.
Your Personal data will be stored for the period necessary to fulfil the purposes for which the data was collected as outlined in this DPA. In any case the following retention periods will apply to the processing of your personal data for the purposes indicated below:
Note: At this time, we are not in the process of implementing any of the marketing purposes.
Note: At this time, we are not in the process of implementing any of the marketing purposes.
For the Contractual Purposes, personal data may be transferred to the following categories of recipients located within the EU and within the limits as set below:
(a) third parties service providers entrusted with processing activities that provide additional services, hosting cloud services or assistance and advice to GAEL Systems, with special but not exclusive reference to technology (in particular, but not exclusively analytics and search engine providers that assist us in the improvement and optimisation of our Service and other selected third parties), accounting, administrative, legal, insurance, IT matters; (b) affiliates; and (c) persons and authorities whose right to access personal data is recognized by law, regulations or provisions issued by legally empowered authorities. The abovementioned recipients will process personal data as data controllers, data processors or persons in charge of processing, depending on the circumstances.
For the Legitimate Interest Purposes, personal data may be transferred to the following categories of recipients located within the EU and within the limits set below:
(a) potential purchaser of GAEL Systems and the entities resulting from mergers or any other transformation involving GAEL Systems, (b) competent authorities.
For the Marketing Purposes, personal data may be transferred to the following categories of recipients located both within the EU and, within the limits set below: (a) third parties service providers entrusted with processing activities that provide services or assistance with regard to the delivery of marketing communications.
Note: At this time, we are not in the process of implementing any of the marketing purposes.
The data processors appointed by GAEL Systems include Serco Italia S.p.A and OVHCloud.
You have a number of rights under data protection law in relation to the way we process your personal data. These are set out below. You may contact us by sending a communication to our DPO directly (see email address above) to exercise any of these rights, and we will respond to any request received from you within one month from the date of the request.
At any given time, you can exercise the following rights:
You will have the right, in any given moment, to:
The data protection officer appointed by GAEL Systems pursuant to Section 37 of the Privacy Regulation can be contacted at the following email address: support@deltatwin.eu.
Any changes to this DPA in the future will be posted on this page, and where appropriate, notified to you by email. Please check back frequently to see any updates or changes to this DPA.
GAEL Systems S.A.S., with registered office at 25 rue Alfred Nobel, 77420 Champs-sur-Marne (France) (“GAEL Systems” or the “Data Controller”), which can be contacted at the followipport@deltatwin.eu acting in its capacity of data controller is committed to protecting and respecting your privacy.
This Data Processing Agreement (DPA) provides information to you about the basis on which any personal data we collect from you, or that you provide to us, will be processed by us if you are a customer of the SesamEO® Service (the “Service”) - as defined in the Terms of SesamEO® Service Agreement.
The Service is provided through the platform.destine.eu (the “Site”). The Site is provided by Serco Italia S.p.A with registered office at viale dell’Astronomia 13, ng email su Cap 00144 (Rome, Italy).
This DPA shall be read in conjunction with the Privacy policies of the platforms where the Service is provided, in particular:
- the privacy policy of the site platform.destine.eu, site provided and managed by Serco Italia S.p.A with registered office at viale dell’Astronomia 13, Cap 00144 (Rome, Italy), accessible here.
In this DPA, the terms “we”, “our”, and “us” are used to refer to the Data Controller responsible for your personal information.
A. Information we collect from you
We will collect and process the following data about you from your use of our Site:
1. Registration data and other information you give us. This is data about you that you give us directly or indirectly through the Site when you register, subscribe and use the Service, or when you are exchanging with us through our support email address. The data you give us may include your name, surname, e-mail address, and in case of companies the details of the company.
2. Technical information. We may also collect technical data, including the Internet protocol (IP) address used to connect your computer to the Internet, MAC addresses, traffic data, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform and cookies, which will be collected in accordance with our cookies policy (see end of this document for the cookies list).
2. Technical information. We may also collect technical data, including the Internet protocol (IP) address used to connect your computer to the Internet, MAC addresses, traffic data, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform and cookies, which will be collected in accordance with our cookies policy (see end of this document for the cookies list).
Since we are currently offering a first version of SesamEO® through the DestinE Platform site, provided and managed by our partner Serco Italia S.p.A, we do not collect any data from you, except for the data listed at the end of this document (cookie list). Our partner Serco Italia S.p.A collects data about you (see their DPA here: https://platform.destine.eu/privacy-policies/) and may transfer some data from you to us only for technical and support reasons.
B. How we use your information
We use information held about you for the following purposes:
1. to allow you to register to use our Service and therefore carrying out our obligations arising from any agreements entered into between you and us and to provide you with the information, products and services that you request from us;
2. to carry out appropriate and necessary investigations and discharge our legal and regulatory obligations and duties, including to comply with (to the extent applicable):
- the guidance of any relevant regulatory body;
- the requirements of applicable legislation for the combatting of money laundering, fraud, terrorist financing, bribery, corruption, tax evasion, the provision of financial or other services to persons who may be subject to economic or trade sanctions; and
- any other local laws, regulations, directions, codes of practice, circulars, orders notices or demands which may otherwise apply;
2. to carry out appropriate and necessary investigations and discharge our legal and regulatory obligations and duties, including to comply with (to the extent applicable):
- the guidance of any relevant regulatory body;
- the requirements of applicable legislation for the combatting of money laundering, fraud, terrorist financing, bribery, corruption, tax evasion, the provision of financial or other services to persons who may be subject to economic or trade sanctions; and
- any other local laws, regulations, directions, codes of practice, circulars, orders notices or demands which may otherwise apply;
(the purposes from a) to b) are jointly defined as the "Contractual Purposes")
a) for fraud prevention purposes within the limits not already required by applicable laws as well as to defend or claim a right, also as part of court proceedings;
b) for credit recovery procedures and credit assignment to authorized companies, also by means of third parties;
c) for the completion of a potential merger, sale of assets or transfer of all or a material part of its business, by disclosing and transferring your personal data to the third party or parties involved in the transaction as part of the transaction;
b) for credit recovery procedures and credit assignment to authorized companies, also by means of third parties;
c) for the completion of a potential merger, sale of assets or transfer of all or a material part of its business, by disclosing and transferring your personal data to the third party or parties involved in the transaction as part of the transaction;
(the purposes of letter c) above are jointly referred to as "Legitimate Interest Purposes")
d) with your prior consent, to provide you with marketing communications by means of electronic and physical channels of communication about the services or products we offer and to run surveys;
e) with your prior consent, to customize our Services and the marketing communications referred above on your preferences and habits (see Cookies Policy).
e) with your prior consent, to customize our Services and the marketing communications referred above on your preferences and habits (see Cookies Policy).
(the purposes of letters e) and f) above are jointly referred to as "Marketing Purposes").
Note: At this time, we are not in the process of implementing any of the marketing purposes.
C. Legal basis for the processing of your personal data
Data protection laws require that we meet certain conditions before we are allowed to use your data in the manner described in this DPA. We take our responsibilities under data protection laws extremely seriously, including meeting these conditions.
The processing of your personal data is necessary with regard to the Contractual Purposes as it is essential:
- for the performance of the Terms and Conditions between you and us. In order for us to fulfil our obligations under such contract, we will need to collect and process your personal data.
- in order to comply with applicable guidance provided by any relevant regulatory body and the obligations under applicable legislation, including anti-money laundering/fraud legislation.
- in order to comply with applicable guidance provided by any relevant regulatory body and the obligations under applicable legislation, including anti-money laundering/fraud legislation.
Failure to provide the data for the above purposes will unfortunately mean we cannot provide our services to you, as to allow you to use our Service would mean we would be in breach of our legal obligations.
The processing of your personal data with regard to the Legitimate Interest Purposes of Section B.2 is carried out in compliance with article 6, letter f) https://gdpr-info.eu/art-6-gdpr/ of the EU General Data Protection Regulation 2016/679 (the “European Privacy Regulation”), for the pursuit of GAEL Systems’ legitimate interest to the detection of potential frauds, the recovery of debts towards to company and the performance of the economic activities referred therein, which is adequately balanced with your interest since the data processing is performed within the limits strictly necessary to their performance.
This data processing activity with regard to the Legitimate Interest Purposes is not mandatory and you can object to the data processing at any time through the modalities as per this DPA.
Finally, the data processing with regard to the Marketing Purposes is based on your prior consent. Such data processing is not mandatory however should you refuse to provide the relevant consent you will not receive marketing communications as per Section B.2. In any case, you can withdraw your consents at any time through the modalities as per this DPA.
Note: At this time, we are not in the process of implementing any of the marketing purposes.
D. How do we process your personal data
Your personal data will be processed both electronically and/or manually, in any case in such a way as to guarantee the security, protection and confidentiality of the data, thanks to appropriate administrative, technical, personnel and physical measures against loss, theft and unauthorized use, disclosure or modification.
E. How long we keep your information for
Your Personal data will be stored for the period necessary to fulfil the purposes for which the data was collected as outlined in this DPA. In any case the following retention periods will apply to the processing of your personal data for the purposes indicated below:
- data collected for Contractual Purposes and for Legitimate Interest Purposes is retained during the provision of the services plus a period of 5 years after the termination or withdrawal from the contract with us, except when the detention of the data is necessary to respond or to file a legal actions, upon request of the competent authorities or in compliance with the applicable laws;
- data collected for Marketing Purposes relating to the delivery of marketing communications and running of surveys is retained for the duration of the Contract and a subsequent period of 24 months;
- data collected for Marketing Purposes relating to the delivery of marketing communications and running of surveys is retained for the duration of the Contract and a subsequent period of 24 months;
Note: At this time, we are not in the process of implementing any of the marketing purposes.
- data collected for Marketing Purposes relating to the profiling of your preferences for marketing purposes is retained for a period of 12 months from the time they are collected.
Note: At this time, we are not in the process of implementing any of the marketing purposes.
F. Disclosure of your information
For the Contractual Purposes, personal data may be transferred to the following categories of recipients located within the EU and within the limits as set below:
(a) third parties service providers entrusted with processing activities that provide additional services, hosting cloud services or assistance and advice to GAEL Systems, with special but not exclusive reference to technology (in particular, but not exclusively analytics and search engine providers that assist us in the improvement and optimisation of our Service and other selected third parties), accounting, administrative, legal, insurance, IT matters; (b) affiliates; and (c) persons and authorities whose right to access personal data is recognized by law, regulations or provisions issued by legally empowered authorities. The abovementioned recipients will process personal data as data controllers, data processors or persons in charge of processing, depending on the circumstances.
For the Legitimate Interest Purposes, personal data may be transferred to the following categories of recipients located within the EU and within the limits set below:
(a) potential purchaser of GAEL Systems and the entities resulting from mergers or any other transformation involving GAEL Systems, (b) competent authorities.
For the Marketing Purposes, personal data may be transferred to the following categories of recipients located both within the EU and, within the limits set below: (a) third parties service providers entrusted with processing activities that provide services or assistance with regard to the delivery of marketing communications.
Note: At this time, we are not in the process of implementing any of the marketing purposes.
The data processors appointed by GAEL Systems include Serco Italia S.p.A and OVHCloud.
G. Your rights
You have a number of rights under data protection law in relation to the way we process your personal data. These are set out below. You may contact us by sending a communication to our DPO directly (see email address above) to exercise any of these rights, and we will respond to any request received from you within one month from the date of the request.
At any given time, you can exercise the following rights:
- to obtain from GAEL Systems confirmation of the existence of personal data and to be informed of its content and source, verify its accuracy and request its integration, update or amendment;
- to request the erasure, anonymization or restriction of the processing of personal data processed in breach of the applicable laws;
- to object in whole or in part, on legitimate grounds, to the processing of the data;
- to withdraw the consent to the processing of the data (if and to the extent such a consent is necessary).
- to request the erasure, anonymization or restriction of the processing of personal data processed in breach of the applicable laws;
- to object in whole or in part, on legitimate grounds, to the processing of the data;
- to withdraw the consent to the processing of the data (if and to the extent such a consent is necessary).
You will have the right, in any given moment, to:
1. request GAEL Systems to limit the processing of your personal data where:
- You contest the accuracy of the personal data until GAEL Systems have taken sufficient steps to correct or verify its accuracy;
- the processing is unlawful but you do not want us to erase your personal data;
- GAEL Systems no longer needs your personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or
- you have objected to processing justified on legitimate interests, pending verification as to whether GAEL Systems has compelling legitimate grounds to continue processing.
2. object to the processing of your personal data;
3. request the erasure of your personal data without undue delay;
4. receive an electronic copy of your personal data, if you would like to port your personal data to yourself or a different provider, when GAEL Systems is relying upon your consent or the fact that the processing is necessary for the provision of the services and the personal data is processed by automatic means; and
5. lodge a complaint with the relevant data protection supervisory authority.
- You contest the accuracy of the personal data until GAEL Systems have taken sufficient steps to correct or verify its accuracy;
- the processing is unlawful but you do not want us to erase your personal data;
- GAEL Systems no longer needs your personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or
- you have objected to processing justified on legitimate interests, pending verification as to whether GAEL Systems has compelling legitimate grounds to continue processing.
2. object to the processing of your personal data;
3. request the erasure of your personal data without undue delay;
4. receive an electronic copy of your personal data, if you would like to port your personal data to yourself or a different provider, when GAEL Systems is relying upon your consent or the fact that the processing is necessary for the provision of the services and the personal data is processed by automatic means; and
5. lodge a complaint with the relevant data protection supervisory authority.
H. Transfer of personal data
- GAEL Systems shall process (and have processed by its authorised subcontractors or sub-processors) personal Data only in the agreed territory of processing (European Union). Transfer of Personal Data outside the agreed territory shall only take place for the purpose of implementing, managing, monitoring the activities under the Terms & Conditions, and will only concern Data Recipients located in a country or international organisation offering an Adequate Level of Protection.
- The transfer of personal data towards a country not recognized as offering an Adequate Level of Protection may only be done after being authorised by the GAEL Systems Data Protection Officer (DPO) and subject to “adequate safeguards with respect to the protection of the Personal Data and data subject’s rights”.
- As “adequate safeguards”, the Parties agreed to adopt the level of protection resulting from the provisions of the EU Standard Contractual Clauses for the Transfer of Personal Data to Third Countries pursuant to Regulation (EU) 2016/679.
- The transfer of personal data towards a country not recognized as offering an Adequate Level of Protection may only be done after being authorised by the GAEL Systems Data Protection Officer (DPO) and subject to “adequate safeguards with respect to the protection of the Personal Data and data subject’s rights”.
- As “adequate safeguards”, the Parties agreed to adopt the level of protection resulting from the provisions of the EU Standard Contractual Clauses for the Transfer of Personal Data to Third Countries pursuant to Regulation (EU) 2016/679.
I. The Data Protection Officer
The data protection officer appointed by GAEL Systems pursuant to Section 37 of the Privacy Regulation can be contacted at the following email address: support@deltatwin.eu.
J. Changes to this DPA
Any changes to this DPA in the future will be posted on this page, and where appropriate, notified to you by email. Please check back frequently to see any updates or changes to this DPA.
SesamEO® Cookies Policy
Cookie List
A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We may also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts.
Note: At this time, we are not in the process of implementing any of the marketing purposes.
You can set your browser to block or alert you about cookies, but some parts of the site may not function as intended.
Use this link to see how to do this for your browser, https://www.aboutcookies.org.uk/managing-cookies.
More specifically, we use cookies and other tracking technologies for the following purposes:
Strictly necessary cookies are required to make our Service work by enabling core functionality such as navigating our pages, accessing secure areas and protecting us from attack, robots and spam. We cannot offer an opt-out as without them the website cannot function properly.
Functional cookies allow the site to provide enhanced functionality and personalisation. They may be set by us or by third party provider whose services or contents we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We may also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts.
Note: At this time, we are not in the process of implementing any of the marketing purposes.
You can set your browser to block or alert you about cookies, but some parts of the site may not function as intended.
Use this link to see how to do this for your browser, https://www.aboutcookies.org.uk/managing-cookies.
More specifically, we use cookies and other tracking technologies for the following purposes:
a) Strictly Necessary Cookies
Strictly necessary cookies are required to make our Service work by enabling core functionality such as navigating our pages, accessing secure areas and protecting us from attack, robots and spam. We cannot offer an opt-out as without them the website cannot function properly.
b) Functional Cookies
Functional cookies allow the site to provide enhanced functionality and personalisation. They may be set by us or by third party provider whose services or contents we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
c) Data stored
| Cookie name | Description | Cookie type |
|---|---|---|
| __Secure-next-auth.callback-url | Address of the service advertised to the authentication service when user logs in or logs out. | Strictly necessary |
| __Host-next-auth.csrf-token | Ensures visitor browsing-security by preventing cross-site request forgery. This cookie is essential for the security of the website and visitor. | Strictly necessary |
| __Secure-next-auth.session-token.0 | This variable stores the authentication token assigned to the user during login. This token allows us to verify that the user is authenticated and to maintain their active session. If this cookie exceeds 4Kb, a new cookie named next-auth.session-token.1 will be used. | Strictly necessary |