Personal Data Protection

Contact Us

Dassault Systèmes has always considered the protection of personal data as a major concern for its customers and partners and is aware of the responsibility in the processing of such data. Since the introduction of the European Union’s General Data Protection Regulation (GDPR) as well as other data protection laws, Dassault Systèmes has continuously reasserted its data privacy commitment by improving its solutions through new capabilities that enable relevant stakeholders to manage their data privacy compliance programs.

 

Dassault Systèmes values the confidence of its customers, users, staff, and global ecosystem. Therefore, any personal data collected, used, disclosed, and transferred is managed in a manner consistent with the laws, regulations, and practices of the countries in which Dassault Systèmes does business.

How has Dassault Systèmes addressed data privacy compliance?

To support this compliance, Dassault Systèmes has implemented a personal data protection compliance Program (“Data Privacy Program”) within the Dassault Systèmes Group. This Program is based on the following main principles:

  • Appointment of a Group Data Protection Officer and establishment of a cross functional Privacy team that oversees both internal and stakeholders’ compliance requirements. This team is charged with:
    • Managing Dassault Systèmes’ internal compliance with regards to data privacy laws and policies;
    • Continuously identifying and monitoring enhancements to Dassault Systèmes’ solutions, websites and communications to enable stakeholders’ compliance to privacy laws, including, but not limited to, GDPR.
  • Deployment of the Dassault Systèmes’ Global Training Plan on privacy to ensure a high level of awareness of Dassault Systèmes’ employees. As such, employees must agree to follow Dassault Systèmes’ Code of Business Conduct, IT charter and data privacy policies and must follow mandatory ethics and compliance trainings addressing security and privacy, including:
    • Preventing threats to data security.
    • Securing physical data and workstations; clean desk policy.
    • Personal data protection and confidentiality.
    • Ethical business behavior; anti-corruption and competition law principles.
    • Incident management; recognizing and reporting potential threats. We continually foster security and privacy awareness throughout the organization.
  • Implementation of technical and organizational measures to protect personal data. These measures are updated from time to time to reflect evolutions according to Dassault Systèmes standards. Dassault Systèmes is especially certified ISO 27001:2022 (Information security management) and ISO 27701:2019 (Personal Data Protection management) for the 3DEXPERIENCE platform SaaS, when acting as controller for handling of personal data provided in this context and processor for personal data under the control of a customer and processed in this environment. Other Cloud Offerings are also certified. For more information, please refer to Dassault Systèmes’ Annual Report.
  • Implementation of intercompany data processing agreements, which include joint controllership provisions determining the responsibilities between the Dassault Systèmes Group companies. Should you have any questions regarding this agreement, or want to access the essence of this arrangement please fill out the following contact form: https://www.3ds.com/privacy-policy/contact/
     

What is the responsibility of a data controller versus a data processor?

In the course of its business activities, Dassault Systèmes is acting as data controller or data processor under certain applicable data privacy legislations. Designation of an entity as controller or processor entails different obligations.

Dassault Systèmes is acting as data controller when processing personal data for its needs according to its Privacy Policy. This Privacy Policy provides information about:

  • The types of personal data Dassault Systèmes may collect (e.g. contact details);
  • How the personal data is collected;
  • The purposes and legal basis of processing individuals’ personal data (e.g. to comply with the law, for marketing purposes with their consent);
  • The data subjects’ rights and choices about their personal data: Depending on their jurisdiction, they may have legal rights associated with Dassault Systèmes’ processing of their personal data, including rights to access, correct, delete, transfer, or object to the processing of their personal data. Regardless of where their live, Dassault Systèmes will honor their request to opt-out of being contacted for marketing reasons;
  • How to contact Dassault Systèmes.

On the contrary, Dassault Systèmes is acting as data processor when it provides certain Dassault Systèmes’ solutions such as the 3DEXPERIENCE Platform on the Cloud and services to an enterprise for the personal data it has been asked to process and store. Dassault Systèmes’ Customers and other business stakeholders (herein after “customers”) are considered as acting as data controller and, in that respect are ultimately responsible for determining how they will comply with the applicable data privacy laws based on their specific business requirements when using Dassault Systèmes’ solutions. Consequently, customers need to determine when personal data should be processed (deleted or modified per the applicable data protection laws) or when it should be retained for record keeping or regulatory, industry or statutory purposes. It is the responsibility of Dassault Systèmes to release its solutions with functionalities that enable customers to be compliant with applicable data protection legislation. That is why Dassault Systèmes’ solutions are designed according to the concepts of “Privacy by Design” and “Privacy by Default” that aim to ensure that privacy is integrated into applications from the design stage.

When Dassault Systèmes provides such solutions to their customers to operate aspects of their businesses, including the collection, processing and storage of personal data, it processes this data as instructed by their customers, and do not control or own provided personal data. Customer’s instructions may include processing or using personal data for purposes of providing or developing the Dassault Systèmes’ solutions and services

In addition, Dassault Systèmes, in some cases, may use third-party providers to assist their customers, such as to provide technical or operational services including data hosting, transmission, and storage. These providers may access, process, or store personal data in the course of providing their services. Dassault Systèmes maintain contracts with these providers restricting their access, use and disclosure of personal data in compliance with data privacy laws, including Dassault Systèmes’ obligations under the Data Privacy Framework as further described below. Dassault Systèmes may be liable if these third parties fail to meet those obligations and is responsible for the event giving rise to the damage.

As Dassault Systèmes acts as processor for the personal data customers provide through the use of Dassault Systèmes’ solutions or services, individuals who seek to access, correct, amend or delete their personal data, should contact the customer acting as controller. In some instances, such individuals may be able to perform these operations by themselves. If the customer requests Dassault Systèmes to remove the personal data to comply with data privacy regulations, it will respond to their customer’s request within the period compliant with the applicable data privacy laws.

The rights and choices offered regarding limiting the use and disclosure of the individuals’ personal data Dassault Systèmes processes as a processor are under the responsibility of their customers. Under the agreements signed between them, Dassault Systèmes is committed to assist their customers in complying with the applicable data privacy laws in the provision and fulfillment of such rights and choices. 

Data Privacy Framework

Dassault Systèmes Americas Corporation and Dassault Systèmes SolidWorks Corporation comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce when acting as either a data controller or data processor. Dassault Systèmes Americas Corporation and Dassault Systèmes SolidWorks Corporation have certified to the U.S. Department of Commerce that they adhere to:

  • the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.
  • the Swiss-U.S. Data Privacy Framework Program Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. 

If there is any conflict between the terms in this commitment and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Dassault Systèmes Americas Corporation and Dassault Systèmes SolidWorks Corporation certification, please visit the Data privacy framework website at https://www.dataprivacyframework.gov/.

Inquiries or complaints: In compliance with the Data Privacy Framework Principles, Dassault Systèmes Americas Corporation and Dassault Systèmes SolidWorks Corporation commit to address privacy complaints related to the collection or use of individuals’ personal data transferred to the United States pursuant to the DPF Principles. European Union, Swiss and United Kingdom individuals with DPF inquiries or complaints should first contact Dassault Systèmes via the contact form available here: https://www.3ds.com/privacy-policy/contact/

Individuals may also refer any inquiries or complaints by mail to:

Dassault Systèmes Americas Corp.
Attn: Legal Department, Americas Data Protection Officer

175 Wyman Street
Waltham, MA  02451- United States

or to  Economic European Area-based Parent at:

Dassault Systèmes SE

Attn: Legal Department, Group Data Protection Officer

10 Rue Marcel Dassault
78140 Vélizy-Villacoublay - France

Individuals may also refer a complaint to their local data protection authority, and Dassault Systèmes will work with them to resolve their concern. In compliance with the EU-U.S. DP, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Dassault Systèmes Americas Corporation and Dassault Systèmes SolidWorks Corporation commit to cooperate and comply with the advice of the panel established by the EU data protection authorities, the UK Information Commissioner’s Office and the Swiss Federal Data Protection and Information Commissioner with regard to unresolved complaints concerning their handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

If a complaint cannot be resolved through the above channels, under certain conditions, individuals may invoke binding arbitration for some residual not resolved claims. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2.

Compelled disclosure: Dassault Systèmes Americas Corporation and Dassault Systèmes SolidWorks Corporation may be required to disclose personal data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements. Dassault Systèmes Americas Corporation and Dassault Systèmes SolidWorks Corporation, as the case may be, will notify their customer and the individuals as applicable of any such requests unless prohibited by law.

U.S. Federal Trade Commission investigation and enforcement: Dassault Systèmes Americas Corporation and Dassault Systèmes SolidWorks Corporation commitments under the DPF are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.