Privacy policy

Last updated: August 2025

1. Preamble

This English version is provided for convenience only and is a non-official translation. In case of discrepancy or divergence, the French version (“Politique de Confidentialité de la Société Française de Cosmétologie”) shall prevail.

The French Society of Cosmetology (hereinafter “SFC”), an association governed by the law of 1 July 1901, attaches particular importance to the protection of personal data and respect for privacy.

This Privacy Policy applies to all personal data processing implemented by SFC in the course of its activities, including:

  • the management and animation of its www.sfcosmeto.fr website  and associated services (forms, job space, directory, newsletters, cookies and trackers);
  • the membership of members and the management of statutory life (subscriptions, assemblies, institutional and scientific communications);
  • the organisation and monitoring of scientific, institutional, educational or professional events organised by the SFC, in person or remotely;
  • the participation of speakers (speakers, authors, researchers) and the dissemination of their contributions in a scientific and institutional framework;
  • the relationship with sponsors, partners and exhibitors, in the context of their participation in events and contractual visibility commitments.

The Policy thus concerns all persons involved in SFC’s activities: members, website visitors, event participants, speakers, sponsors, institutional partners and exhibitors.

2.  Data controller

The French Society of Cosmetology (SFC), an association governed by the law of 1 July 1901, represented by its President, acts as a data controller within the meaning of Article 4.7 of the GDPR.

Contact details:

  • Postal address: 210 boulevard Bineau – 92200 Neuilly-sur-Seine – France
  • Email: contact@sfcosmeto.fr

The SFC has appointed a Data Protection Officer (DPO), who can be contacted for any questions relating to the protection of personal data or the exercise of your rights, at the following address: rgpd@sfcosmeto.fr.

3. Data collected

The SFC collects only the personal data that is strictly necessary for the purposes described in Article 3, in accordance with the principle of minimisation provided for in Article 5 of the GDPR.

The categories of data processed are as follows:

a. Technical and browsing data (website)

  • IP address, connection logs, browser and operating system information;
  • Cookies and trackers (management via a consent manager);
  • Data from an audience measurement tool, as specified in the cookie policy.

b. Data provided via online forms

  • Identity (surname, first name, title);
  • Contact information (email address, telephone number, postal address if applicable);
  • Information freely communicated in the message or request fields.

c.  Membership and governance data (Members)

  • Identity and contact details (surname, first name, title, postal address, email address, telephone number, organisation to which they belong, position);
  • Information related to membership (membership number, any supporting documents such as student or retiree, professional status);
  • Financial data (payments, contributions, invoices, transaction references);
  • Participation in general meetings, votes, committees or working groups.

d. Event Data (Attendees)

  • Identity, professional contact details, function, organization;
  • Registration data (form, options chosen, payment);
  • Logistical data (accommodation, catering, specific needs if provided);
  • Data related to badges and access controls (login, QR code);
  • Images and recordings made during the events (photographs, videos, audiovisual recordings).

e. Speakers, authors, and researchers

  • Identity, professional and institutional contact details;
  • Biographical and academic information for scientific presentation (programs, materials, publications);
  • Communications, articles or materials submitted to the SFC;
  • Audio/video recordings of the interventions.

f.  Sponsor, partner and exhibitor data

  • Identity and professional contact details of contact persons;
  • Contractual and visibility information (logos, mentions, promotional materials);
  • Data transmitted by participants who have consented to the scanning of their badge (identity, position, organization, professional email address).

g. Special categories of data

The SFC does not collect sensitive data within the meaning of Article 9 of the GDPR (health data, political opinions, religious beliefs, trade union membership, racial or ethnic origin, sexual orientation), unless strictly necessary for the organisation of an event (e.g. voluntary indication of a specific diet).

4. Members

The SFC processes the personal data of its members in the context of the management of associative life. This includes data relating to identity, contact details, the organisation to which they belong, proof of membership, contributions and payments, as well as participation in statutory bodies.

This data is used to:

  • Administratively and statutorily manage memberships,
  • To ensure the follow-up of contributions,
  • Disseminating institutional and scientific communications,
  • Organize associative life (assemblies, commissions, working groups).

The data is kept for the duration of the membership and then archived for five (5) years.

5. Member Directory

The registration of your profile in the SFC member directory, distributed in paper and online versions, is based on the legitimate interest of the SFC to promote exchanges between members and the scientific network. This directory is accessible exclusively to other members of the SFC and may not be used for commercial purposes, prospecting or canvassing. However, you may object to your registration in the directory at any time by writing to: rgpd@sfcosmeto.fr.

6.  Event attendees

The SFC processes the data of people who register for and participate in its events, whether in person or online.

This includes data relating to identity, professional contact details, function, organisation, registrations and payments, access badges, as well as the logistical needs expressed.

This data is used to:

  • Manage registrations and payments,
  • Organising the logistics, technology and security of the events,
  • To provide practical and scientific information to participants.

The data is kept for three (3) years after the end of the event.

7. Image capture and speakers’ data

As part of its events, the SFC can make photographic and audiovisual recordings.

These recordings are used for institutional and scientific purposes, to the exclusion of any commercial use. Participants have the right to object, which can be exercised at any time by contacting the organisation.

The SFC also processes the data of the speakers (speakers, authors, researchers), including their identity, their professional contact details, biographical elements, their scientific support and the recordings of their interventions.

These data are used for the scientific and institutional dissemination of the SFC’s activities and are kept for five (5) years.

The recordings do not give rise to any commercial exploitation or dissemination outside the institutional and scientific framework of the SFC.

8. Sponsors and partners

SFC processes the data of its sponsors, partners and exhibitors in connection with their participation in events.

This includes data relating to the identity and contact details of contact persons, contractual elements, logos and communication media.

This data is used to execute SFC’s contractual visibility commitments.

If the participant consents, the data from the scan of his or her badge may be transmitted to sponsors and exhibitors, who then act as independent data controllers.

The data is retained for the duration of the partnership and then archived for three (3) years. The data from the badge scans is not kept by the SFC beyond the management of the event.

9. Purposes and legal bases

The processing of personal data carried out by the SFC has the following purposes. Each purpose is based on a specific legal basis within the meaning of Article 6 of Regulation (EU) 2016/679 (“GDPR”).

The processing activities carried out by the SFC are based, depending on the case:

  • To ensure the execution of the membership contract (management of members, invoicing, organization of events),
  • To manage the legitimate interest of the association (in particular for the maintenance of the directory of members and institutional or scientific communication with members),

10. Management and operation of its website

  • to ensure the technical operation, security and maintenance of the website (legal basis: SFC’s legitimate interest in ensuring the availability and security of its digital services);
  • respond to requests sent via contact forms (legal basis: legitimate interest of the SFC to manage the requests received);
  • manage the subscription and sending of the newsletter (legal basis: consent of the data subject);
  • Establish statistics on the number of visitors and use of the site via an audience measurement tool [tool to be confirmed by the service provider] (legal basis: consent of the person concerned).

a. Management of memberships and associative life (Members)

  • processing membership applications, managing membership fees and delivering associated services (legal basis: execution of the membership contract);
  • ensure the administrative, statutory and accounting follow-up of the association (legal basis: legal and statutory obligation weighing on the SFC);
  • to organise and lead the scientific and associative life of the SFC, to send members institutional and scientific information (legal basis: legitimate interest of the association);
  • sending, subject to the express consent of the member, newsletters or invitations to other events (legal basis: consent).

b. Organization and monitoring of events (Participants)

  • register and process registrations, manage payments and issue access badges (legal basis: contract performance);
  • ensure the logistical, technical and security organisation of events (legal basis: legitimate interest of the SFC);
  • provide participants with practical and scientific information necessary for their participation (legal basis: legitimate interest);
  • to produce and disseminate photographic and audiovisual recordings for institutional and scientific purposes, in compliance with the participants’ right to object (legal basis: legitimate interest), it being specified that individualised recordings for promotional purposes require the consent of the person concerned.

c.  Stakeholder management (speakers, authors, researchers)

  • collect and manage information relating to the participants (legal basis: performance of the contract or legitimate interest of the SFC in organising its scientific programme);
  • disseminate their communications and media, as well as the recordings of their interventions, in a scientific and institutional framework (legal basis: legitimate interest of the SFC).

d.  Sponsors, partners and exhibitors

  • manage the contractual relationship and ensure the visibility provided for in the agreements entered into (logos, mentions, programs, promotional materials) (legal basis: performance of the contract);
  • To transmit, subject to the express consent of the participants, certain data from the scan of badges during events (identity, function, organisation, professional contact details) to the sponsors and exhibitors concerned, who then act as independent data controllers (legal basis: consent).

e. Compliance with legal and regulatory obligations

  • to comply with the SFC’s legal, regulatory and tax obligations, in particular in terms of accounting and association management (legal basis: legal obligation);
  • process requests to exercise the rights granted to data subjects by the GDPR (legal basis: legal obligation).

11. Recipients of the data

The personal data collected and processed by the SFC are only accessible to persons and entities who need it for the purposes defined in Article 7.

It may be communicated to the following categories of recipients:

a. Within SFC

  • the governing bodies (Board of Directors, Bureau);
  • authorised salaried or volunteer staff, for administrative, scientific, statutory or logistical needs;
  • members, within the framework of the internal directory or statutory bodies, when provided for in the articles of association or accepted by the person concerned.

b. Technical and logistics service providers acting as subcontractors

These service providers operate exclusively on the instructions of the SFC and within the framework of contracts that comply with Article 28 of the GDPR. These include:

  • hosting and technical infrastructure providers (e.g. a hosting provider based in France);
  • website maintenance and development providers;
  • email and newsletter solution providers;
  • audience measurement and cookie management providers;
  • online payment solution providers, which may involve transfers outside the European Union subject to appropriate safeguards;
  • logistics and audiovisual service providers in the context of events.

c. Sponsors, partners and exhibitors

In the context of events, certain data may be transmitted to sponsors, institutional partners or exhibitors only when the Participant has consented to this (e.g. scanning of the badge at the entrance to a stand).

In this case, the data transmitted (identity, function, organisation, professional contact details) are used by the sponsors and exhibitors concerned, who then act as independent data controllers, under their sole responsibility and in accordance with their own privacy policy.

d. Public authorities and bodies

The SFC may be required to communicate certain data to the administrative, judicial or tax authorities, when required by law or regulation.

The SFC does not transfer personal data to third parties for commercial purposes.

12. Cookies

When browsing the SFC website, cookies and other trackers may be placed on your device.

a. What is a cookie?

A cookie is a small text file that is placed on a computer, tablet or smartphone when a website is visited.

In particular, it allows:

  • to ensure the proper technical functioning of the site;
  • to facilitate navigation;
  • remember certain user preferences;
  • To obtain audience measurement and improve the services offered;
  • to enable the integration of external services (video playback, display of interactive maps, online payment, subscription to newsletters).

Some cookies are strictly necessary for the operation of the site and do not require prior consent. The others are subject to the consent of the user, who can give or withdraw consent at any time.

b. Applicable legal basis

In accordance with Article 82 of the Data Protection Act and the recommendations of the CNIL, strictly necessary cookies can be deposited without consent, while others require the user’s prior consent.

c. Management of user consent

Cookies are managed by a consent manager, allowing the user to:

  • accept or refuse non-essential cookies,
  • make granular choices on a service-by-service basis,
  • modify preferences at any time via a module accessible on each page.

The choice expressed (acceptance or refusal) is kept for six (6) months.

d. Categories of cookies used

Category of cookies // Purpose // Legal basis // Retention period // Type

Strictly necessary cookies // To ensure the technical operation of the site, the management of sessions and the memorization of consent choices // Necessary for the operation of the site (exempt from consent) // Session or 6 months (to memorize the choice) // Cookie HTTP

Audience measurement cookies // Establish statistics on the number of visitors and use of the site Consent  // 13 months (cookies), 25 months (anonymised statistics)  // Cookie HTTP

Personalization and Convenience Cookies  // Adapt the display or remember navigation preferences     // Consent    // 13 months maximum  // Cookie HTTP

Embedded Video Related Cookies  // Enable playback of videos hosted on external platforms // Consent // 6 months to 2 years depending on the settings  // Cookie HTTP

Cookies related to interactive maps // Enable the display and use of embedded maps  // Consent // 6 months to 2 years depending on the settings  // Cookie HTTP

Cookies related to online payment services // Ensure the secure operation of transactions      Consent // 1 year maximum // Cookie HTTP

Cookies related to electronic communication services // Manage the subscription and sending of newsletters // Consent // 13 months maximum // Cookie HTTP

e. User configuration

The user can manage his preferences:

  • via the consent management module accessible on each page;
  • or via the settings of your browser (Chrome, Firefox, Safari, Edge, etc.).

Refusing certain cookies may limit access to certain features, but may not prevent basic browsing.

13. Retention periods

The SFC retains personal data only for as long as is strictly necessary for the purposes for which they are collected. Where legal terms exist, they are applied.

Failing this, the SFC refers to the recommendations of the CNIL and the applicable civil and commercial requirements.

CATEGORY OF DATA // RETENTION PERIOD

Data related to membership and statutory life (identity, contact details, supporting documents, participation in bodies)   // During the membership period, then archiving for 5 years (civil prescription)

Billing and payment data (invoices, bank references)  // 10 years (accounting and tax obligation)

Institutional and scientific communications sent to members  //   3 years after the end of membership or last contact (CNIL good practice)

Event data (registrations, badges, logistics options, payments) // 3 years after the event (CNIL good practice)

Photo/video recordings of participants and speakers // 5 years maximum (proportionate legitimate interest)

Data relating to the speakers (bio, contact details, materials provided) // During the period of scientific valorization, then archiving 5 years (civil prescription)

Data relating to sponsors, partners, exhibitors (contracts, logos, contacts)  //   During the duration of the partnership, then archiving for 3 years (commercial prescription)

Data from badge scanning (contact details provided with consent)  //    Immediate transmission to the sponsor; retention by the SFC limited to the management of the event and deletion within 30 days maximum

Technical browsing data (logs, IP)  // 12 months maximum (security, ANSSI/CNIL good practice)

Data from online forms  //    3 years after the last contact (CNIL good practice)

Newsletter subscription data  // Until the withdrawal of consent or 3 years of inactivity (CNIL good practice)

Cookies and other non-essential trackers   // 13 months maximum (CNIL recommendation)

Record of cookie preferences (consent manager)  // 6 months (CNIL recommendation)

Anonymized traffic statistics (audience tool)  // 25 months maximum [to be confirmed with the technical service provider]

Proof of consent (opt-in, forms)  // During the contractual relationship + 3 years after withdrawal/opposition (proof in case of dispute)

Proof of acceptance of the applicable terms and conditions (General Terms of Membership / General Terms of Use / Terms and conditions of Event)   //    5 years (civil statute of limitations)

Proof of situation for reduced rate (non-members)   // Storage limited to the time strictly necessary for the inspection, then deletion within a maximum of 30 days.

14. Security

The SFC implements all appropriate technical and organisational measures to ensure a level of security appropriate to the risks associated with the processing of personal data that it carries out, in accordance with Article 32 of the GDPR.

These measures are aimed in particular at:

  • ensure the confidentiality of data and limit access to it only to persons authorised by virtue of their functions;
  • protect the integrity and availability of systems and information;
  • prevent loss, alteration, destruction or unauthorized access to data;
  • guarantee the traceability of the accesses and operations carried out;
  • Ensure regular data backups and business continuity.

The SFC contractually requires its service providers and subcontractors to implement technical and organisational security measures that are equivalent and adapted to the risks associated with the processing carried out on its behalf.

In the event of a personal data breach likely to pose a risk to the rights and freedoms of individuals, the SFC undertakes to notify the CNIL of the breach within the legal deadlines and, when required, to inform the person concerned.

In some cases, the processing may involve transfers of personal data outside the European Union, in particular in the context of:

  • online payment services,
  • solutions for the distribution of newsletters and electronic communications,
  • technical or logistical tools related to the organisation of events (e.g. registration platforms, ticketing, online broadcasting of conferences),
  • or more generally of certain digital communication services.

These transfers are carried out exclusively:

  • to countries that have been the subject of an adequacy decision by the European Commission, or
  • on the basis of the appropriate safeguards provided for in Articles 44 et seq. of the GDPR, in particular the standard contractual clauses adopted by the European Commission.

Data subjects can obtain any useful information on the guarantees applicable to these transfers by contacting the SFC’s Data Protection Officer (rgpd@sfcosmeto.fr).

15. Rights of individuals

In accordance with Articles 15 to 22 of Regulation (EU) 2016/679 of 27 April 2016 (“GDPR”) and the provisions of the amended Data Protection Act, any person concerned by data processing carried out by the SFC has the following rights:

  • Right of access : to obtain confirmation as to whether or not personal data concerning him or her is being processed, and to receive communication of this in a comprehensible form.
  • Right to rectification : request the rectification of inaccurate or incomplete data.
  • Right to erasure (“right to be forgotten”): obtain the deletion of one’s data when its retention is no longer necessary in relation to the purposes for which it was collected, unless there is a legal obligation to retain it.
  • Right to restriction of processing : to obtain the temporary suspension of processing in the event of a dispute about the accuracy of the data, the lawfulness of the processing or in the event of an objection.
  • Right to object : to object at any time, for reasons relating to one’s particular situation, to processing based on the legitimate interest of the SFC; to oppose, without justification, the use of one’s data for prospecting purposes. If the processing is based on the SFC’s legitimate interest, you can exercise your right to object at any time for reasons relating to your particular situation. Your objection will be taken into account for the future, with no retroactive effect on the paper editions of the directory that have already been distributed.
  • Right to portability : to receive the data provided to the SFC in a structured, commonly used and machine-readable format, and to transmit it to another data controller.
  • Right to withdraw consent : where the processing is based on consent, the withdrawal may take place at any time, without affecting the lawfulness of the processing already carried out.
  • Right to define post-mortem directives regarding the fate of personal data: to decide how one’s personal data should be handled after death.

The rights can be exercised by sending a request accompanied by proof of identity:

  • by email: rgpd@sfcosmeto.fr
  • by mail: French Society of Cosmetology – 210 boulevard Bineau – 92200 Neuilly-sur-Seine.

The SFC undertakes to respond within one (1) month of receipt of the request, which can be extended by two (2) months in the event of complexity or a high number of requests, in accordance with the GDPR.

In the event of an unresolved difficulty, the person concerned has the right to lodge a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL) – www.cnil.fr.

16.  Applicable law and jurisdiction

This Policy is governed by French law.

Any dispute relating to its interpretation, execution or application falls under the exclusive jurisdiction of the courts of Paris, subject to the rules of mandatory jurisdiction provided for by law.

17.  Policy Update

The SFC may modify this policy to take into account any legal, technical or organizational changes.

The date of the last update is listed in the header.

In the event of a substantial change, the information will be brought to the attention of the persons concerned by any appropriate means, in particular by publication on the SFC website and, where relevant, by sending an e-mail to the members and subscribers concerned.