As an independent secretary, you have created your business plan, chosen your legal status and completed all the required steps, but have you thought about the administrative documents you must provide to your clients? You have probably already heard about them. In this article, we will talk about Terms and Conditions (CGV) and GDPR.

The Terms and Conditions (CGV) are a document whose main purpose is to define the contractual relationship between a professional and their clients. They must be provided to any client who requests them, and if the client does not request them, their communication is not mandatory. However, they must appear in contractual documents (order forms, quotes, contracts) and promotional materials. Failing to do so may result in sanctions.

CGV inform clients (both consumers and professionals) of the conditions before any transaction and form the basis for negotiation between the two parties.

The format of the CGV is not regulated by law, but they must be presented in writing and signed by the client. For online service providers, the law requires that the CGV can be downloaded and printed.

Important: CGV must be adapted to the professional’s specific activity. Terms and Conditions for the sale of goods will not be the same as those for service provision.

CGV primarily aim to inform the client, but their importance differs depending on whether the professional is dealing with a consumer or another professional. In B2B relations, CGV specify pricing methods and conditions, helping avoid disputes during contract execution.

Writing CGV is challenging when you’re just starting out. Many new entrepreneurs are not comfortable with legal terminology and sometimes copy CGV from other websites.

Warning: Copying CGV from another website exposes you to legal risks and may be considered copyright infringement. It is better to use a customizable template.

To help you avoid problems and make the process easier, here are some good practices. Please note that the information in this article is indicative and does not replace legal advice.

Mandatory Clauses in Your CGV and Service Agreements

Your Terms and Conditions must include:

Your identity and contact details
The main characteristics of the service
Unit prices, pricing methods or a detailed quote
Payment terms, deadlines, late penalties and indemnities
Possible discounts and applicable conditions
Service delivery deadlines
Dispute resolution procedures
Right of withdrawal conditions (Hamon Law grants consumers a 14-day withdrawal period for online services)

Note: You may use different CGV for different categories of clients (wholesalers, retailers…).

CGV provide a general framework that applies by default.
The service contract becomes essential when specific arrangements deviate from the CGV.

A contract allows you to modify or supplement the CGV depending on the needs of a particular mission.

As a service provider, you must specify in the contract that contract terms prevail over the CGV.

Example: Change in service pricing, delivery deadlines or payment terms.
You can find an example of a service agreement template here.

GDPR stands for General Data Protection Regulation. It regulates the processing of personal data within EU member states since May 25, 2018. It harmonizes rules across Europe and provides a single legal framework for professionals. Every business must comply, from large corporations to freelancers.

You hear about personal data all the time, but do you really know what it means?

The CNIL defines personal data as “any information relating to an identified or identifiable individual.”
As an independent secretary, you handle many personal data items (name, address, email…). You must be able to prove how you use them.

Personal data must be:

Processed lawfully, fairly and transparently
Collected for specific, explicit and legitimate purposes
Stored only for the necessary duration
Protected with appropriate security measures against unauthorized access or misuse

Appointing a Data Protection Officer is recommended, but not mandatory.
When you work independently, you simply become your own DPO.

To comply with the regulation, you must list all personal data processing activities you perform. Include all departments collecting data: sales, HR, communication, etc. Organize the data by purpose or retention period.

Based on the inventory, define your action plan.

Key reminders:
Stop collecting data that is not necessary
Define how users can exercise their rights (access, correction, portability, withdrawal of consent…)
Ensure your subcontractors comply with GDPR
Review stored data and plan deletion deadlines

Be especially careful when processing:
Health or sexual orientation data
Criminal or legal records
Minors’ data
Data transferred outside the EU

Once your data and risks are identified, you must create a Data Protection Impact Assessment (DPIA).

A DPIA includes:
A description of the processing and its purpose
An evaluation of the necessity and proportionality of the processing
An assessment of risks for the individuals
Measures to mitigate those risks

The CNIL provides guidelines, tools and a dedicated PIA software to help carry out DPIAs.

You must also ensure your partners and subcontract

You must document everything proving that data is stored and processed securely.
This includes:
Secure servers
Data encryption
Access control
Audit trails
Data backup procedures

You must also ensure your partners and subcontract