GENERAL PROVISIONS
Preamble
Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on data protection (hereinafter RGPD), sets the legal framework applicable to the processing of personal data. This text strengthens the rights and obligations of data controllers, processors, data subjects and data recipients.
Subsequently, and in order to implement the changes made by the RGPD, the French Data Protection Act no. 78-17 of January 6, 1978 was amended by Act no. 2018-493 of June 20, 2018 and Order no. 2018-1125 of December 12, 2018.
This policy is implemented by Quai Cyrano (hereinafter referred to as “the organization”), whose main activities include the development of the tourism offer, the promotion of tourist destinations, the marketing of the tourism offer of the Bergerac Agglomeration Community and the Montaigne Montravel Gurson Community of Communes, as well as the management of the Bergerac and Duras Wine House and Experience Cyrano.
In the course of our business, we process personal data relating to our customers, partners and prospects. For a better understanding of the present policy, it is specified that :
– customers are understood to be all natural or legal persons who have entered into a contract of any kind with our organization, it being specified that the latter is intended to work with professional customers in the tourism and wine industries, or with the general public;
– partners are understood to be any natural or legal persons involved in the tourism or wine-growing sector, and who have a relationship with our organization in this respect, such as local tourism professionals, project sponsors and internal and external investors, holiday distributors, local authorities and their associations, institutional partners or wine-growers;
– Prospects are understood to be any potential customer or any contact recipient of promotional messages from our organization whose data has been collected directly via contact forms, events or indirectly via any of our organization’s partners.
Purpose and scope
This personal data protection policy is intended to apply to the processing of the personal data of our customers, partners and prospects.
As such, the purpose of this policy is to satisfy our organization’s obligation to provide information, and thus to formalize the rights and obligations of customers, partners and prospective customers with regard to the processing of their data.
This policy applies only to data processing for which we are responsible, and to “structured” data.
The processing of personal data may be managed directly by our organization or through a subcontractor specifically appointed by it.
This policy is independent of any other document that may apply within the contractual relationship that binds us to our customers, partners and prospects. We do not implement any processing of the data of our customers, partners and prospects if it does not relate to personal data collected by or for our services or processed in connection with our services and if it does not comply with the general principles of the GDPR.
Any new processing, modification or deletion of existing processing will be brought to the attention of customers, partners and prospects by means of an amendment to this policy.
CUSTOMER DATA
Types of data collected
Non-technical data (depending on use)
– identity and identification (surname, first name, date of birth, pseudonym, customer number)
– contact details (e-mail, postal address, telephone number) professional/personal life where necessary
Technical data (depending on use)
– identification data (IP address)
– connection data (logs, token, etc.)
– acceptance data (clicks) location data
Data origin
We collect customer data from :
– data supplied by the customer (paper forms, order forms, contracts, business cards) ;
– electronic forms filled in by the customer;
– data entered online (website, social networks, etc.);
– registration for events we organize;
– databases shared by several partners, fed and used by all these partners;
– exceptional rental or acquisition of databases;
– communication of contacts via specialized companies or partners of our organization.
Purposes
As the case may be, we process customer data for the following purposes:
– customer relationship management ;
– sale of tourist stays directly or via distribution partners;
– management of events organized by us;
– sending newsletters or information feeds;
– customer account management;
– improving our services;
– meeting our administrative obligations;
– community management;
– statistics.
Retention periods
The length of time we keep customer data is defined in the light of the legal and contractual constraints we are subject to, and otherwise according to our needs, and in particular in accordance with the following principles:
Customer data : For the duration of the contractual relationship, plus 3 years for promotion and prospecting purposes, without prejudice to retention obligations or limitation periods.
Technical data: 1 year from the date of collection
Cookies: See cookies policy
Once these time limits have elapsed, data is either deleted or kept after being anonymized, notably for statistical purposes. Data may be kept for pre-litigation and litigation purposes.
Customers are reminded that deletion or anonymization are irreversible operations, and we are not subsequently able to restore them.
Legal basis
The legal basis for the processing operations we carry out under this policy is the implementation of contractual or pre-contractual measures or, in certain cases, the customer’s consent (e.g.: sending of commercial prospecting messages).
PARTNER DATA
Types of data collected
Non-technical data (depending on use):
identity and identification (surname, first name, date of birth, pseudonym)
contact details (e-mail, postal address, telephone number)
professional details (position, job title, etc.)
Technical data (depending on use)
identification data (IP address)
connection data (logs, token, etc.)
acceptance data (click)
location data
Data origin
We collect data from our partners from :
information collected directly via partners, in particular via shared databases;
forms or electronic forms filled in by partners
registrations or subscriptions to our online services (newsletter, social networks).
Purposes
Depending on the case, we process customer data for the following purposes:
partner relationship management ;
certification of sites and facilities in the sectors entrusted to us by the organization;
tourism engineering operations (diagnostics and feasibility studies, support in setting up projects and grant applications);
networking and consultation with various partners;
marketing support for partner service providers;
management of the events we organize (trade shows, workshops, etc.);
training operations for partner service providers;
search for distribution partners;
statistics.
Retention periods
The length of time we keep our partners’ data is defined in the light of the legal and contractual constraints we are subject to, and otherwise in accordance with our needs, and in particular in accordance with the following principles:
Customer data : For the duration of the contractual relationship, plus 3 years for relationship monitoring purposes, without prejudice to retention obligations or limitation periods.
Technical data: 1 year from the date of collection
Cookies : See cookies policy
Once these time limits have elapsed, data is either deleted or kept after being anonymized, notably for statistical purposes. Data may be kept for pre-litigation and litigation purposes.
Partners are reminded that deletion or anonymization are irreversible operations, and that we are not subsequently able to restore them.
Legal basis
The legal basis for the processing operations we carry out under this policy is the implementation of contractual or pre-contractual measures.
PROSPECTIVE CUSTOMERS’ DATA
Types of data collected
Non-technical data (depending on use) :
identity and identification (surname, first name, date of birth, pseudonym)
contact details (e-mail, postal address, telephone number)
professional details (position, job title, etc.)
Technical data (according to use cases) :
identification data (IP address)
connection data (logs, token, etc.)
acceptance data (click)
location data
Data origin
We collect our prospects’ data from :
data supplied by the prospect (paper form, business card, etc.) ;
electronic forms filled in by the prospect;
data entered online (website, social networks, etc.);
registration or subscription to our online services (website, social networks);
registration for events we organize;
databases shared by several partners, fed and used by all these partners;
lists provided by the organizers of events or conferences in which we participate;
exceptional database rentals;
communication of contacts via specialized companies or partners.
Purposes
Depending on the case, we process our prospects’ data for the following purposes:
prospect relationship management ;
management of events we organize;
sending our newsletters or news feeds;
animation of websites in partnership with our partners;
promoting our organization and tourism in Montauban on social networks (Facebook, Twitter, YouTube, Instagram, etc.)
behavioral analysis of prospects ;
community management ;
statistics.
Retention periods
The retention period for our prospects’ data is defined in the light of our legal and contractual obligations and, failing that, according to our needs, and in particular according to the following principles:
Customer data : For 3 years from the date of collection or last contact with the prospect.
Technical data: 1 year from collection
Cookies : See cookies policy
After these deadlines, data is either deleted or kept after being anonymized, notably for statistical purposes. Data may be kept for pre-litigation and litigation purposes.
Prospects are reminded that deletion or anonymization are irreversible operations and that we are not subsequently able to restore them.
Legal basis
The above-mentioned purposes for processing prospects are based on the following conditions of lawfulness:
performance of pre-contractual measures ;
our organization’s legitimate interests
the prospect’s consent, where required by law (e.g. in the case of commercial prospecting messages).
DATA RECIPIENTS
We ensure that data is only accessible to authorized internal or external recipients who are subject to an appropriate obligation of confidentiality.
Internally, we decide which recipients will have access to which data according to an authorization policy.
All accesses concerning the processing of personal data of customers, partners and prospects are subject to traceability measures.
In addition, personal data may be communicated to any authority legally empowered to deal with it. In this case, we are not responsible for the conditions under which the staff of these authorities have access to and use the data.
Internal recipients: Authorized personnel within our structure (personnel in charge of marketing, customer relationship management, service providers and prospects, administrative personnel, personnel in charge of IT) and their line managers.
External recipients :
Tourist partners who access the shared file in which data may appear;
service providers or support services ;
authorized staff of audit departments (statutory auditors, departments responsible for internal audit procedures, etc.);
administrative and legal personnel, where applicable.
INDIVIDUAL RIGHTS
Access and copy rights
Customers, partners and prospects traditionally have the right to request confirmation as to whether or not data concerning them is being processed.
They also have a right of access to their data, i.e. the right to obtain communication of all information relating to the processing of their personal data.
In such a case, the customer, partner or prospect must formulate his or her request himself or herself, and there must be no doubt as to his or her identity. Failing this, we reserve the right to ask for any information that would enable them to be identified, such as a copy of an identity document.
Customers, partners and prospects have the right to request a copy of their personal data being processed. However, in the event of a request for an additional copy, we may require customers, partners and prospects to bear the cost of this.
If customers, partners and prospects submit their request for a copy of the data electronically, the information requested will be provided in a commonly used electronic form, unless otherwise requested.
Customers, partners and prospective customers are hereby informed that this right of access may not relate to confidential information or data, or data for which communication is not permitted by law.
The right of access must not be exercised in an abusive manner, i.e. on a regular basis with the sole aim of destabilizing the service concerned.
Updating and rectification
We respond to requests for updates :
automatically for online modifications to fields that can be technically or legally updated;
upon written request from the person concerned, who must provide proof of identity.
Right to erasure
The right to erasure of customers, partners and prospects will not apply in cases where processing is carried out to meet a legal obligation. Apart from this situation, customers, partners and prospects may request the deletion of their data in the following limited cases:
personal data is no longer required for the purposes for which it was collected or otherwise processed;
when the data subject withdraws the consent on which the processing is based, and there is no other legal basis for the processing;
the data subject objects to processing that is necessary for the purposes of our legitimate interests and there is no compelling legitimate reason for the processing;
the data subject objects to the processing of his/her personal data for canvassing purposes, including profiling;
the personal data has been processed unlawfully.
Right to restriction
Customers, partners and prospects are informed that this right is not intended to apply insofar as the processing we carry out is lawful and all personal data collected is necessary for the purposes for which it is processed.
Right to portability
We grant requests for data portability in the specific case of data communicated by customers, partners and prospects themselves, on our online services and for purposes based solely on the consent of individuals and performance of a contract. In this case, the data is communicated to the requester in a structured, commonly used and machine-readable format.
Automated individual decisions
We do not make any automated individual decisions.
The tools offered on our website are only intended to help customers and prospective customers and should not be considered otherwise.
Post-mortem rights
Customers, partners and prospects are informed that they have the right to formulate directives concerning the conservation, deletion and communication of their post-mortem data.
Exercise of rights
The aforementioned rights may be exercised, at the option of the person concerned, by e-mail or by post to the following address: dpo-otdemontauban@racine.eu
ADDITIONAL PROVISIONS
Optional or compulsory responses
Customers, partners and prospects are informed of the compulsory or optional nature of their responses by the presence of an asterisk on each personal data collection form submitted. Where answers are mandatory, we explain the consequences of not answering.
Right of use
Our customers, prospects and partners grant us the right to use and process their personal data for the purposes set out above.
However, enriched data resulting from processing and analysis on our part, otherwise known as enriched data, remains our exclusive property (usage analysis, statistics, etc.).
Subcontracting
We inform you that we may involve any subcontractor of our choice in the processing of your personal data. In this case, we ensure that the subcontractor complies with its obligations under the RGPD.
We undertake to sign a written contract with all our subcontractors and impose the same data protection obligations on subcontractors as ourselves. In addition, we reserve the right to audit our subcontractors to ensure compliance with the provisions of the RGPD.
Cross-border flows
Our organization alone reserves the choice of whether or not to have transborder flows for the personal data it processes.
In the event of the transfer of personal data to a country outside the European Union or to an international organization, we will inform you and ensure that your rights are properly respected. If necessary, we will sign one or more contracts to govern cross-border data flows.
The provisions relating to cross-border flows are enforceable against us, except in the derogatory cases provided for in Article 49 of the RGPD.
Register of processing operations
As data controller, we undertake to keep an up-to-date register of all processing activities carried out.
This register is a document or application that makes it possible to list all the processing that we implement as data controller.
We undertake to provide the supervisory authority, on first request, with information enabling the said authority to verify the compliance of processing with current data protection regulations.
SECURITY
Security measures
We are responsible for defining and implementing the physical or logical technical security measures we deem appropriate to prevent the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of data.
To this end, we may engage the assistance of any third party of our choice to carry out vulnerability audits or penetration tests, at such intervals as we deem necessary.
In any event, we undertake, in the event of a change in the means used to ensure the security and confidentiality of personal data, to replace them with means of superior performance. No change may lead to a reduction in the level of security.
In the event of subcontracting all or part of the processing of personal data, we undertake to contractually impose security guarantees on our subcontractors, by means of technical data protection measures and appropriate human resources.
Data breaches
In the event of a personal data breach, we undertake to notify the Cnil under the conditions prescribed by the RGPD.
If the said breach poses a high risk to customers, partners and prospects and the data has not been protected, we will notify the persons concerned and provide them with the necessary information and recommendations.
CONTACTS
Right to lodge a complaint with the Cnil
Customers, partners and prospects concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the Cnil, if they consider that the processing of personal data concerning them does not comply with European data protection regulations, at the following address:
Cnil – Service des plaintes
3 Place de Fontenoy- TSA 80715 – 75334 PARIS CEDEX 07
Tel: 01 53 73 22 22
Changes
The present policy may be modified or amended at any time in response to changes in legislation, case law, Cnil decisions and recommendations, or practices.
Any new version of the present policy will be brought to the attention of customers, prospects and partners by any means we define, including by electronic means (distribution by e-mail or online, for example).
For further information
For further information, please contact Quai Cyrano contact@quai-cyrano.com.
For more general information on the protection of personal data, please consult the Cnil website www.cnil.fr.