1. General provisions
Preamble
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data (hereinafter “GDPR”), sets out the legal framework applicable to the processing of personal data. This text strengthens the rights and obligations of data controllers, data processors, data subjects and data recipients.
Subsequently, and in order to implement the changes made by the RGPD, law no. 78-17 of 6 January 1978, known as the Data Protection Act, was amended by law no. 2018-493 of 20 June 2018 and by order no. 2018-1125 of 12 December 2018 relating to data protection.
This policy is implemented by Côte-d’Or Attractivité (hereinafter referred to as “the organisation”), whose main activities include developing the tourism offering, promoting tourist destinations and marketing the tourism offering in the Côte-d’Or region.
We also aim to attract new working populations to the Côte-d’Or and to anchor the local population by enhancing the region’s living environment.
As part of our activities, we process personal data relating to our customers, partners and prospective customers. For a proper understanding of this policy, it is specified that :
– Customers are understood to be any natural or legal person who has entered into a contract of any kind whatsoever with our organisation, it being specified that our organisation works with tourism professionals or the general public;
– Partners are understood to be any natural or legal persons operating in the tourism sector and maintaining relations with our organisation in this capacity, such as, in particular, local tourism professionals, project promoters and internal and external investors, holiday distributors, local authorities and their groupings or institutional partners;
– Prospects are understood to be any potential customer or any contact recipient of promotional messages from our organisation whose data has been collected directly via contact forms, events or indirectly via any of the organisation’s partners.
Purpose and scope
This personal data protection policy is intended to apply to the processing of the personal data of our customers, partners and prospective customers.
The purpose of this policy is to meet our organisation’s obligation to provide information and to formalise the rights and obligations of customers, partners and prospective customers with regard to the processing of their data.
This policy relates only to the processing for which we are responsible and to data described as “structured”.
The processing of personal data may be managed directly by our organisation or through a sub-contractor specifically appointed by it.
This policy is independent of any other document that may apply within the contractual relationship between us and our customers or partners. We do not process the data of our customers, partners and prospective customers if it does not relate to personal data collected by or for our services or processed in connection with our services and if it does not comply with the general principles of the GDPR.
Any new processing, modification or deletion of existing processing will be brought to the attention of customers, partners and prospects by means of an amendment to this policy.
2. Customer data
Types of data collected
● Non-technical data (according to use cases) :
– Identity and identification (civil status, surname, first name, date of birth, pseudonym, customer number)
– Contact details (e-mail, postal address, telephone number)
– Professional/personal life where necessary
● Technical data (depending on use cases):
– Connection data (IP address, logs)
– Browsing data (cookies, tracers, clicks)
– Location data (movement, GPS data)
Origin of data
We collect customer data from :
– Data supplied by the customer (paper form, order form, contract, business card) ;
– Electronic forms filled in by the customer;
– Data entered online (website, social networks);
– Registration for events that we organise;
– Databases shared between several partners, fed and used by all these partners;
– Exceptional rental or acquisition of databases;
– Communication of contacts via specialised companies or partners of our organisation.
Purposes and legal basis
Depending on the case, we process our customers’ data for the following purposes and on the following legal bases:
– Management of the events we organise (legitimate interest of our organisation in promoting our activity);
– Sending newsletters or news feeds (legitimate interest of our organisation to promote its activity);
– Improving our services (legitimate interest of our organisation to improve its services);
– Meeting our administrative obligations (legal obligation);
– Community management (legitimate interest of our organisation to promote our activity);
– Carrying out statistics (legitimate interest of our organisation to analyse the activity of its customers).
Retention periods
The retention period for our customers’ data is defined with regard to the legal and contractual constraints on us and, failing that, according to our needs and in particular according to the following principles:
● Data processed for canvassing purposes: 3 years from the end of the commercial relationship (from the end of a contract) or from the last contact from the customer (request for documentation, clicking on a link contained in an email, etc.).
● Technical data: 1 year from the date of collection.
After this period, the data is either deleted or kept after being anonymised, in particular for statistical purposes. It may be kept for pre-litigation and litigation purposes.
Customers are reminded that the deletion or anonymisation of data is irreversible and that we are not subsequently able to restore it.
3. Partner data
Types of data collected
Non-technical data (depending on use cases):
● Identity and identification (civil status, surname, first name)
● Contact details (e-mail, postal address, telephone number)
● Professional life where necessary
● Transaction data (amount and date of transactions)
Technical data (depending on use cases):
● Connection data (IP address, logs)
● Browsing data (cookies, tracers, clicks)
● Location data (movement, GPS data)
Origin of data
We collect data from our partners from:
– Information collected directly via partners;
– Electronic forms filled in by partners;
– Registrations or subscriptions to our online services (newsletter, social networks).
Purposes and legal bases
Depending on the case, we process our partners’ data for the following purposes and on the following legal bases:
– Management of partner relations (execution of pre-contractual or contractual measures);
– Labelling of sites and equipment for the sectors entrusted to us by the organisation (performance of contractual measures);
– Sending newsletters or news feeds (legitimate interest of our organisation in promoting its activity);
– Tourism engineering operations (diagnostics and feasibility studies, support in setting up projects and grant application files) (performance of pre-contractual or contractual measures);
– Networking and consultation between the various partners (legitimate interest of our organisation in developing its network of partners);
– Operations to assist in the marketing of partner service providers (execution of pre-contractual or contractual measures);
– Management of events that we organise (trade fairs, workshops, etc.) (legitimate interest of our organisation in promoting its activity);
– Training operations for partner service providers (execution of pre-contractual or contractual measures);
– Search for distribution partners (legitimate interest of our organisation in developing its network of distribution partners);
– Production of statistics (legitimate interest of our organisation to analyse the activity of its partners).
Retention periods
The length of time we keep our partners’ data is defined with regard to the legal and contractual constraints on us and, failing that, according to our needs and in particular according to the following principles:
● Contracts concluded with partners: 5 years from the end of the contractual relationship -10 years for contracts concluded electronically of more than 120 euros.
● Commercial correspondence (order forms, delivery notes, invoices, etc.): 10 years from the end of the financial year.
● Data processed for canvassing purposes: 3 years from the end of the commercial relationship (from the end of a contract) or from the last contact from the partner (request for documentation, clicking on a link contained in an email, etc.).
● Technical data: 1 year from the date of collection.
● Bank details: deleted as soon as the transaction has been completed, unless expressly agreed otherwise by the partner. If the transaction is contested: kept for 13 months in the archives following the debit date.
After the set periods, the data is either deleted or kept after being anonymised, in particular for statistical purposes. It may be kept for pre-litigation and litigation purposes.
Partners are reminded that the deletion or anonymisation of data is irreversible and that we are not subsequently able to restore it.
4. Prospective customers’ data
Types of data collected
● Non-technical data (according to use cases) :
– Identity and identification (civil status, surname, first name, date of birth)
– Contact details (e-mail, postal address, telephone number)
– Professional/personal life where necessary
● Technical data (depending on use cases):
– Connection data (IP address, logs)
– Browsing data (cookies, tracers, clicks)
– Location data (movement, GPS data)
Origin of data
We collect our prospects’ data from :
– Data provided by the prospect (paper form, business card, etc.) ;
– Electronic forms filled in by the prospect;
– Data entered online (website, social networks, etc.);
– Registration or subscription to our online services (website, social networks);
– Registration for events that we organise;
– Databases shared by several partners, fed and used by all these partners;
– List provided by the organisers of events or conferences in which we participate;
– Exceptional rental of databases;
– Communication of contacts via specialised companies or partners.
Purposes and legal basis
Depending on the case, we process the data of our prospects for the following purposes and legal bases:
– Management of the prospect relationship (legitimate interest of our organisation in promoting its activity);
– Management of the events we organise (legitimate interest of our organisation in promoting its activity);
– Sending our newsletters or information feeds (consent);
– Animation of websites in partnership with our partners (legitimate interest of our organisation to promote its activity);
– Promotion of our organisation and tourism on social networks (Facebook, LinkedIn, YouTube, Instagram) (legitimate interest of our organisation to promote its activity);
– Behavioural analysis of prospects (legitimate interest of our organisation in analysing the activity of its prospects);
– Community management (legitimate interest of our organisation to promote its activity);
– Statistics (legitimate interest of our organisation to analyse the activity of its prospects).
Retention periods
The retention period for our prospects’ data is defined with regard to the legal and contractual constraints on us and, failing that, according to our needs and in particular according to the following principles:
●Data processed for prospecting purposes: 3 years from the date of collection or the last contact from the prospect (request for documentation, clicking on a link contained in an email, etc.).
●Technical data: 1 year from the date of collection.
After these deadlines, the data is either deleted or kept after being anonymised, in particular for statistical purposes. It may be kept for pre-litigation and litigation purposes.
Prospects are reminded that the deletion or anonymisation of data is irreversible and that we are not subsequently able to restore it.
5. Recipients of data
We ensure that data is only accessible to authorised internal or external recipients who are subject to an appropriate obligation of confidentiality.
Internally, we decide which recipient may have access to which data in accordance with an authorisation policy.
In addition, personal data may be communicated to any authority legally authorised to have access to it. In this case, we are not responsible for the conditions under which the staff of these authorities have access to and use the data.
●Internal recipients: Authorised staff within our organisation (staff in charge of marketing, customer relationship management, service providers and prospects, administrative staff, IT staff) and their line managers.
● External recipients :
– Tourist partners who access the shared file in which the data may appear;
– Service providers or support services;
– Authorised staff of the departments responsible for control (statutory auditor, departments responsible for internal control procedures, etc.); Administration, court officials where applicable.
6. Individual rights
Right of access and copy
Customers, partners and prospective customers have the right to request confirmation as to whether or not data concerning them is being processed.
They also have a right of access to their data, i.e. the right to obtain communication of all information relating to the processing of their personal data.
In such a case, the customer, partner or prospective customer must formulate his request himself and there must be no doubt as to his identity. Failing this, we reserve the right to request any information that would enable them to be identified, such as a copy of an identity document.
Customers, partners and prospective customers have the right to request a copy of their personal data being processed. However, in the event of a request for an additional copy, we may require customers, partners and prospective customers to bear the cost of this.
If customers, partners and prospective customers submit their request for a copy of the data electronically, the information requested will be provided in a commonly used electronic form, unless otherwise requested.
Customers, partners and prospective customers are informed that this right of access may not relate to information or data that is confidential or for which communication is not authorised by law.
The right of access must not be exercised in an abusive manner, i.e. on a regular basis with the sole aim of destabilising the service concerned.
Updating and rectification
We comply with requests for updates:
– automatically for online changes to fields that can be technically or legally updated;
– at the written request of the individual.
Right to erasure
The right to erasure of customers, partners and prospects will not apply in cases where the processing is carried out to meet a legal obligation. Apart from this situation, customers, partners and prospective customers may request the deletion of their data in the following limited cases:
– the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
– when the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
– the data subject objects to processing that is necessary for the purposes of our legitimate interests and there is no compelling legitimate reason for the processing;
– the data subject objects to the processing of his/her personal data for canvassing purposes, including profiling;
– the personal data has been processed unlawfully.
Right to limitation
Customers, partners and prospective customers are informed that this right is only applicable in the following cases:
– the accuracy of the personal data is contested by the data subject, for a period allowing us to verify the accuracy of the personal data;
– the processing is unlawful and the data subject objects to the erasure of the data and instead requests that the use of the data be restricted;
– we no longer need the personal data for the purposes of processing, but it is still necessary for the data subject to establish, exercise or defend legal claims; or
– the data subject has objected to the processing, during verification of whether the legitimate grounds pursued by the controller override those of the data subject.
Right to portability
We grant requests for data portability in the specific case of data communicated by customers, partners and prospects themselves, on our online services and for purposes based solely on the consent of the individuals and performance of a contract. In this case, the data is communicated to the requester in a structured, commonly used and machine-readable format.
Automated individual decisions
We do not make any automated individual decisions.
Post-mortem rights
Customers, partners and prospects are informed that they have the right to formulate directives concerning the conservation, deletion and communication of their data post-mortem.
Exercise of rights
The aforementioned rights may be exercised, at the option of the interested party, by e-mail to the address: dpo-cotedor.attractivite@racine.eu.
7. Additional provisions
Optional or mandatory nature of responses
Customers, partners and prospective customers are informed of the compulsory or optional nature of their responses by the presence of an asterisk on each personal data collection form submitted to them. Where responses are mandatory, we explain the consequences of not responding.
Right of use
Our organisation is granted the right by its customers, prospects and partners to use and process their personal data for the purposes set out above.
However, enriched data that is the result of processing and analysis on our part remains our exclusive property (usage analysis, statistics, etc.).
Subcontracting
We inform you that we may involve any sub-contractor of our choice in the processing of your personal data. In this case, we will ensure that the subcontractor complies with its obligations under the RGPD.
We undertake to sign a written contract with all our sub-contractors and to impose the same data protection obligations on them as on ourselves. You can obtain a copy of these guarantees by writing to dpo-cotedor.attractivite@racine.eu.
In addition, we reserve the right to audit our subcontractors to ensure compliance with the provisions of the GDPR.
Cross-border data flows
Our organisation reserves the right to decide whether or not to process personal data across borders.
If personal data is transferred to a country outside the European Union or to an international organisation, we will ensure that your rights are respected. If necessary, we will sign one or more contracts to govern cross-border data flows.
You can obtain a copy of these guarantees by writing to dpo-cotedor.attractivite@racine.eu.
Register of processing operations
As data controller, we undertake to keep an up-to-date register of all processing activities carried out.
This register is a document or application that makes it possible to list all the processing operations that we carry out as data controller.
We undertake to provide the supervisory authority, on first request, with information enabling the said authority to verify that the processing complies with the regulations in force.
8. Security
Security measures
We are responsible for defining and implementing the technical, physical or logical security measures that we deem appropriate to prevent the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of data.
To this end, we may engage the assistance of any third party of our choice to carry out vulnerability audits or penetration tests at such intervals as we consider necessary.
In any event, we undertake, in the event of a change in the means used to ensure the security and confidentiality of personal data, to replace them with means of superior performance. No change may lead to a reduction in the level of security.
In the event of subcontracting all or part of the processing of personal data, we undertake to contractually impose security guarantees on our subcontractors by means of technical data protection measures and appropriate human resources.
Data breaches
In the event of a personal data breach, we undertake to notify the CNIL under the conditions prescribed by the RGPD.
If the said breach poses a high risk to customers, partners and prospective customers and the data has not been protected, we will notify the persons concerned and provide them with the necessary information and recommendations.
9. Contacts
We have appointed a Data Protection Officer whose contact details are as follows: dpo-cotedor.attractivite@racine.eu.
We will notify the Data Protection Officer in advance of any new processing of personal data.
If you wish to obtain information or ask a specific question, you may contact the Data Protection Officer, who will provide you with a response within a reasonable period of time in relation to the information requested or the question asked.
If you have a problem with the processing of your personal data, you can contact the Data Protection Officer.
Right to lodge a complaint with the CNIL
Customers, partners and prospects concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the CNIL, if they consider that the processing of their personal data does not comply with European data protection regulations, at the following address:
CNIL – Complaints Department
3 Place de Fontenoy- TSA 80715 – 75334 PARIS CEDEX 07
Tel: 01 53 73 22 22
Changes
This policy may be amended or modified at any time in the event of changes to legislation, case law, CNIL decisions and recommendations or practices.
Any new version of this policy will be brought to the attention of customers, prospects and partners by any means that we define, including by electronic means (distribution by e-mail or online, for example).
For further information
For any further information, please contact us at the above address, in this case dpo-cotedor.attractivite@racine.eu.
For more general information on the protection of personal data, please visit the CNIL website at www.cnil.fr.