The purpose of this data protection policy (hereinafter the ‘Policy’) is to provide Keyrus’s clients and prospective clients with information on how it processes their personal data, as a data controller and as a data processor. Under its contractual and pre-contractual relationships, Keyrus undertakes to comply with the regulations in force applicable to personal data processing, specifically Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the ‘GDPR’), as well as any applicable national regulations (hereinafter the ‘Regulations’).



« Client » means any natural or legal person for whom Keyrus provides a service or benefit

« Recipient »  means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

« Personal data »  means any information relating to an identified or identifiable natural person (hereinafter the ‘Data subject’); an ‘identifiable natural person’ is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of said natural person.

« KEYRUS »means any company belonging to the Keyrus Group, either controlled by Keyrus SA pursuant or with whom Keyrus SA has a legal relationship

« Prospective client » means any natural or legal person who may use services provided by and/or be in contact with Keyrus.

« Data controller » means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing; where the purposes and means of such Processing are determined by Union or Member State law, the Data controller or the specific criteria for its nomination may be provided for by Union or Member State law.

« Data processor » means the natural or legal person, public authority, agency or other body which processes Personal data on behalf of the Data controller.

« Processing » means any operation performed on Personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

« Personal data breach » means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal data transmitted, stored or otherwise processed.



As stated in the preamble herein, Keyrus makes every effort to ensure ongoing compliance with the key principles of the GDPR and to assure all its Clients and Prospective clients that any Personal data collected is processed in a legal, fair and transparent manner.

Personal data is collected for specific, express and legitimate purposes and KEYRUS undertakes not to process it for purposes which are incompatible with these objectives

Keyrus respects the principle of data minimisation, in accordance with Article 5(c) of the GDPR, specifically that the Personal data processed must be adequate, relevant and limited to what is necessary in relation to the purposes defined below. In this way, Keyrus ensures that ‘comment fields’ include only relevant and limited information.


For each specific Processing operation, particularly in relation to security (video surveillance, swipe cards, etc.) or use of an IT resource made available to the Client or Prospective client by Keyrus (software, hardware, etc.), Data subjects shall receive a specific statement telling them how their Personal data is processed.


If your Personal data has not been collected directly by Keyrus, it may have been received by our database leasing partners or business partners who are the Data controllers of their databases. The databases to which we have access may contain Personal data other than that described above, which we may consult, such as your photo or career history


Keyrus undertakes to keep your Personal data secure and confidential pursuant to the regulations in force and to ensure that all Recipients follow appropriate security and confidentiality safeguards.

Recipients who may receive your Personal data include:

  • Authorised personnel of Keyrus;
  • Partners and processors of Keyrus;
  • Organisations, court officers and legal professionals as part of their debt collection duties;
  • The Data Protection Officer

In the case of a dispute, your Personal data may be sent to:

  • People working to resolve the conflict;
  • The legal authorities in the case of an offence;
  • Judicial or administrative courts, joint or commercial, or an arbitration panel, in order to establish, exercise or defend Keyrus’s rights;
  • Judicial or administrative courts, in order to execute an enforceable court decision which is binding on Keyrus;
  • Any natural or legal person in order to execute an enforceable court decision which is binding on Keyrus.

Authorised suppliers may also have access to your Personal data as part of the services they may provide, including in connection with software solutions or IT resources used to process your Personal data (maintenance, support, hosting, security and monitoring of IT resources, etc.).

In the development strategy of the Keyrus Group we could disclosure your Personal Data to a third party in the case of sell, merge, divestiture or all other operations on all or a part of our activity, of our financial assets and shares.


The storage period applicable to your Personal data is determined according to the storage times provided for by law and regulations and the type of data concerned.

The main storage periods for documents relating to Client and Prospective client management include, but are not limited to, the following:

Keyrus shall not store Personal data in a form allowing identification of Data subjects for a period longer than necessary, taking into account the purpose for which the data was originally collected.

Keyrus may store data for longer periods if Personal data is processed for filing purposes in the public interest, scientific or historical research or statistical purposes, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of Data subjects.


Keyrus implements all the technical and organisational measures it deems appropriate, in accordance with Article 32 of the GDPR, in order to ensure the security and privacy of your Personal data.

We ensure that all Recipients comply with the appropriate security and privacy safeguards

Keyrus cares about Personal data protection, and makes its staff aware of Personal data security

For further information regarding your data security, please contact our DPO


In the case of your Personal data being transferred to a recipient located in a non-European Community Member State, appropriate safeguards shall be put in place, in accordance with the GDPR, and Keyrus shall inform you of these by any means possible.

Personal data transfer within entities of the Keyrus Group not covered by a European Commission adequacy decision generally involves the signing of standard contract terms.

Keyrus has implemented a data transfer policy. Please contact our DPO for more information.


In accordance with the regulations, you may access Personal data concerning you and request for it to be corrected or deleted. You also have the right to limit or object to the Processing of your Personal data and the right to portability of your data, where appropriate.

To gain a full understanding of these rights and the means of exercising them, you can send your questions and/or requests to our Data Protection Officer (DPO) by:

The DPO shall reply to you as quickly as possible

You also have the right to make a complaint to the French Data Protection Agency (CNIL), which is currently located at the following address: 3 place de Fontenoy, 75007 Paris.


As part of the provision of its services, Keyrus may process Personal data on behalf of the Client. In this case, the Client is the Data controller and Keyrus is the Data processor.

As a Data processor, Keyrus undertakes to process Personal data in accordance with the Client’s written instructions.

Pursuant to article 28 of the GDPR, Keyrus and the Client shall sign a contract defining in particular the subject and duration of the Processing, the nature and purpose of the Processing, the type of Personal data and categories of Data subjects, and the rights and responsibilities of the Data controller. In this context, Keyrus makes its Data Processing Contract (‘DPC’) template available to the Client under a confidentiality obligation.

Keyrus undertakes to comply with the technical and organisational measures defined by mutual agreement with the Client in accordance with article 32 of the GDPR in order to ensure data security and privacy. Keyrus makes its Information Security Systems Policy (ISSP) available to the Client under a confidentiality obligation. Where necessary, the Parties may agree on a Security Assurance Plan (SAP).

If Keyrus calls upon a subsequent Data processor to perform part of the services conferred upon it, the latter may have access to Personal data. In this case, Keyrus shall ensure that the Data processor is also bound by the obligations in force regarding data protection.

In the case of your Personal data being transferred to a Recipient located in a non-European Community Member State, appropriate safeguards shall be put in place, in accordance with the GDPR.

The support and assistance provided by Keyrus to the Client is defined in the contract, as well as the audit conditions. Keyrus shall comply with the provisions of the GDPR relating to notifications it must make to the Client.

Keyrus ensures that persons authorised to process Personal data undertake to respect privacy or are subject to an appropriate legal confidentiality obligation.


This Policy may be amended by Keyrus management in order to take into account recommendations from the CNIL, changes in the law, case-law or information technology and, more generally, on the basis of any developments in IT and communications technology.