1. GENERAL PROVISIONS
Preamble
Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on data protection (hereinafter GDPR), sets the legal framework applicable to the processing of personal data. This text reinforces the rights and obligations of data controllers, subcontractors, data subjects and data recipients.
Subsequently, and to implement the modifications to the GDPR, law n°78-17 of January 6, 1978 known as Information Technology and Liberties was amended by law n°2018-493 of June 20, 2018 and by Ordinance No. 2018-1125 of December 12, 2018 relating to data protection.
This policy is implemented by the Cotentin Tourist Office (hereinafter called “the organization”), whose main activities are the development of the tourist offer, the promotion of tourist destinations and the marketing of tourism. the Cotentin tourist offer.
As part of our activity, we implement processing of personal data relating to the data of our customers, partners and prospects. For a good understanding of this policy, it is specified that:
- clients are understood as all natural or legal persons engaged under a contract of any nature whatsoever with our organization, it being specified that it is intended to work with professional clients in tourism or the general public;
- partners are understood as all natural or legal persons involved in the tourism sector and as such maintaining relationships with our organization, such as in particular tourism professionals in the department, project leaders and internal and external investors, holiday distributors, communities territorial authorities and their groups or even institutional partners;
- prospects are understood as any potential customer or any contact recipient of promotional messages from our organization whose data has been collected directly via contact forms, events or indirectly via any partner of the organization.
Purpose and scope
This personal data protection policy is intended to apply in the context of the implementation of the processing of the personal data of our customers, partners and prospects.
As such, the purpose of this policy is to satisfy our organization's information obligation and thus to formalize the rights and obligations available to customers, partners and prospects with regard to the processing of their data.
This policy only concerns processing for which we are responsible as well as data classified as “structured”.
The processing of personal data can be managed directly by our organization or through a subcontractor specifically appointed by it.
This policy is independent of any other document that may apply within the contractual relationship that binds us to our customers, partners and prospects. We do not implement any processing of the data of our customers, partners and prospects if it does not relate to personal data collected by or for our services or processed in connection with our services and if it does not meet the principles GDPR Generals.
Any new processing, modification or deletion of an existing processing will be brought to the attention of customers, partners and prospects through a modification of this policy.
2.CUSTOMER DATA
Types of data collected
Non-technical data (depending on use cases) | identity and identification (surname, first name, date of birth, nickname, customer number) contact details (email, postal address, telephone number) professional life / personal life when necessary banking data (RIB) |
Technical Data (depending on use cases) | identification data (IP address) connection data (logs, token in particular) acceptance data (click) location data |
Origin of data
- We collect our customer data from:
data provided by the customer (paper form, order form, contract, business card); - electronic forms or forms completed by the customer;
- data entered online (website, social networks, etc.);
- registration for events we organize;
- databases shared between several partners, supplied and operated by all of these partners;
- exceptional rental or acquisition of databases;
- communication of contacts through specialized companies or partners of our organization.
Purpose
Depending on the case, we process our customers' data for the following purposes:
- customer relationship management ;
- sale of tourist stays, services or products directly or via distribution partners;
- management of organized events that we organize;
- commercial prospecting actions;
- sending newsletters or information/news feeds;
- customer account management;
- improvement of our services;
- response to our administrative obligations;
- community management;
- production of statistics.
Retention periods
The retention period of our customers' data is defined with regard to the legal and contractual constraints that weigh on us and failing that according to our needs and in particular according to the following principles
Legal basis
The processing that we implement under this policy is all legally based on the implementation of contractual or pre-contractual measures or, in certain cases, the consent of the customer (e.g. sending commercial prospecting messages).
Treatment | Shelf life |
Customer data | For the duration of the contractual relations, increased by 3 years for the purposes of animation and prospecting, without prejudice to the obligations of conservation or the limitation periods |
Technical data | 1 year from collection |
Cookies | See cookies policy |
After the fixed deadlines, the data is either deleted or kept after having been anonymized, in particular for reasons of statistical use. They can be kept in the event of pre-litigation and litigation.
Customers are reminded that deletion or anonymization are irreversible operations and we are no longer, thereafter, able to restore them.
3. PARTNER DATA
Types of data collected
Non-technical data (depending on use cases) | identity and identification (surname, first name, date of birth, nickname) contact details (e-mail, postal address, telephone number) professional life (function, job title, etc.) bank details (RIB) |
Technical Data (depending on use cases) | identification data (IP address) connection data (logs, token in particular) acceptance data (click) location data |
Origin of data
We collect data from our partners from:
- information collected directly via partners, particularly via shared databases;
- electronic forms or forms completed by partners;
- registrations or subscriptions to our online services (newsletter, social networks).
Purpose
Depending on the cases, we process our customers' data for the following purposes:
- partner relationship management;
- labeling of sites and equipment for the sectors entrusted by the organization;
- tourism engineering operations (diagnostics and feasibility studies, support for setting up projects and grant application files);
- networking and consultation operations between different partners;
- marketing support operations for partner service providers;
- management of the events we organize (trade fairs, workshops, etc.);
- training operations for partner service providers;
- search operations for distribution partners;
Retention periods
The retention period for the data of our partners is defined with regard to the legal and contractual constraints that weigh on us and, failing that, according to our needs and in particular according to the following principles:
Treatment | Shelf life |
Customer data | For the duration of the contractual relationship, increased by 3 years for the purposes of monitoring the relationship, without prejudice to retention obligations or limitation periods |
Technical Data | 1 year from collection |
Cookies | See cookies policy |
After the fixed deadlines, the data is either deleted or kept after having been anonymized, in particular for reasons of statistical use. They can be kept in the event of pre-litigation and litigation.
Partners are reminded that deletion or anonymization are irreversible operations and that we are no longer, thereafter, able to restore them.
Legal basis
The processing that we implement under this policy is all legally based on the implementation of contractual or pre-contractual measures.
4.PROSPECTS DATA
Types of data collected
Non-technical data (depending on use cases) | identity and identification (surname, first name, date of birth, nickname) contact details (e-mail, postal address, telephone number) professional life (function, job title, etc.) and personal life |
Technical Data (depending on use cases) | identification data (IP address) connection data (logs, token in particular) acceptance data (click) location data |
Origin of data
We collect our prospect data from:
- data provided by the prospect (paper form, business card, etc.);
- electronic forms or forms completed by the prospect;
- data entered online (website, social networks, etc.);
- registration or subscription to our online services (website, social networks);
- registration for events we organize;
- databases shared between several partners, supplied and operated by all of these partners;
- list communicated by the organizers of events or conferences in which we participate;
- exceptional rental of databases;
- communication of contacts through specialized companies or partners.
Purpose
Depending on the cases, we process the data of our prospects for the following purposes:
- prospect relationship management;
- management of the events we organize;
- commercial prospecting actions;
- sending our newsletters or information feeds;
- animation of websites in partnership with our partners;
- operation to promote our organization and Cotentin tourism on social networks (Facebook, Twitter, YouTube, Instagram, etc.);
- behavioral analysis of prospects;
- community management;
- production of statistics.
Retention periods
The retention period for the data of our prospects is defined with regard to the legal and contractual constraints that weigh on us and, failing that, according to our needs and in particular according to the following principles:
Treatment | Shelf life |
Customer data | For 3 years from their collection or the last contact from the prospect |
Technical Data | 1 year from collection |
Cookies | See cookies policy |
After the fixed deadlines, the data is either deleted or kept after having been anonymized, in particular for reasons of statistical use. They can be kept in the event of pre-litigation and litigation.
Prospects are reminded that deletion or anonymization are irreversible operations and that we are no longer, thereafter, able to restore them.
Legal basis
The purposes of processing prospects presented above are based on the following legality conditions:
- execution of pre-contractual measures;
- legitimate interest of our organization;
- consent of the prospect when the law requires it (example regarding the sending of commercial prospecting messages).
5. DATA RECIPIENTS
We ensure that data is only accessible to authorized internal or external recipients subject to an appropriate obligation of confidentiality. Internally, we decide which recipient can have access to which data according to an authorization policy. All access to processing relating to personal data of customers, partners and prospects is subject to a traceability measure. Furthermore, personal data may be communicated to any authority legally authorized to know it. In this case, we are not responsible for the conditions under which the staff of these authorities have access to and use the data.
Internal recipients | External recipients |
Authorized personnel within our structure (staff in charge of marketing, customer relationship management/quality service, service provider and prospects, administrative staff, accounting department, equipment department, staff in charge of IT) and their managers hierarchical. | Tourist partners who access the shared file in which the data may appear; Service providers or support services; Authorized personnel from the services responsible for control (auditor, services responsible for internal control procedures, etc.); Banking establishments; Administration |
6. RIGHTS OF PERSONS
Right of access and copy
Customers, partners and prospects traditionally have the right to request confirmation that data concerning them is or is not being processed.
They also have a right to access their data, i.e. the right to obtain communication of all information relating to the processing of their personal data.
In such a case, the customer, partner or prospect must formulate his request himself and there must be no doubt as to his identity. Failing this, we reserve the right to request the communication of any element allowing its identification, such as in particular the copy of an identity document.
Customers, partners and prospects have the right to request a copy of their personal data being processed. However, in the event of a request for an additional copy, we may require the financial support of this cost by customers, partners and prospects.
If customers, partners and prospects submit their request for a copy of the data electronically, the information requested will be provided to them in a commonly used electronic form, unless otherwise requested.
Customers, partners and prospects are informed that this right of access cannot relate to confidential information or data or for which the law does not authorize communication.
The right of access must not be exercised abusively, that is to say carried out regularly with the sole aim of destabilizing the service concerned.
Updating – updating and rectification
We fulfill update requests:
- automatically for inline changes to fields that technically or legally can be updated;
- on demand
Right to erasure
The right to erasure of customers, partners and prospects will not be applicable in cases where the processing is implemented to meet a legal obligation. Apart from this situation, customers, partners and prospects may request the erasure of their data in the following limited cases:
- the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- where the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
- the data subject objects to processing which is necessary for the purposes of the legitimate interests pursued by us and there are no overriding legitimate grounds for the processing;
- the data subject objects to the processing of their personal data for marketing purposes, including profiling;
- the personal data has been the subject of unlawful processing.
Right to limitation
Customers, partners and prospects are informed that this right is not intended to apply to the extent that the processing that we implement is lawful and that all personal data collected are necessary for the implementation of the purposes of processing these.
Right to portability
We grant requests for data portability in the particular case of data communicated by customers, partners and prospects themselves, on our online services and for purposes based solely on the consent of individuals and performance of a contract. In this case, the data is communicated to the applicant in a structured, commonly used and machine-readable format.
Automated individual decision
We do not make any automated individual decisions.
The tools offered on our website are only help tools for customers and prospects and cannot be considered otherwise.
Post-mortem law
Customers, partners and prospects are informed that they have the right to formulate directives concerning the storage, erasure and communication of their post-mortem data.
Exercise of rights
The exercise of the aforementioned rights is carried out, at the choice of the interested party, by email or by post
7. ADDITIONAL PROVISIONS
Optional or mandatory nature of answers
Customers, partners and prospects are informed of the mandatory or optional nature of the answers by the presence of an asterisk on each personal data collection form submitted to them. In the case where answers are mandatory, we explain to them the consequences of a lack of answer.
Right of use
Our organization is granted by its customers, prospects and partners a right to use and process their personal data for the purposes set out above.
However, the enriched data which is the result of processing and analysis work on our part, otherwise known as enriched data, remains our exclusive property (usage analysis, statistics, etc.).
Subcontracting
We inform you that we may involve any subcontractor of our choice in the processing of your personal data. In this case, we ensure that the subcontractor complies with its obligations under the GDPR.
We are committed to signing a written contract with all our subcontractors and imposes on the subcontractors the same obligations in terms of data protection as itself. In addition, we reserve the right to carry out an audit with our subcontractors in order to ensure compliance with the provisions of the GDPR.
Cross-border flows
Our organization alone reserves the choice of whether or not to have cross-border flows for the personal data it processes.
In the event of transfer of personal data to a country outside the European Union or to an international organization, we will inform you and ensure that your rights are respected. We undertake, if necessary, to sign one or more contracts to regulate cross-border data flows.
The provisions relating to cross-border flows are binding on us, except in the exceptional cases provided for in Article 49 of the GDPR.
Processing register
As a controller, we undertake to maintain an up-to-date record of all processing activities carried out.
This register is a document or application making it possible to identify all the processing that we implement as the controller.
We undertake to provide the supervisory authority, on first request, with the information enabling the said authority to verify the compliance of the processing with the data protection regulations in force.
8. SECURITY
Security measures
It is our responsibility to define and implement the technical security measures, physical or logical, that we consider appropriate to combat the destruction, loss, alteration or unauthorized disclosure of data in an accidental or illicit manner.
To do this, we can be assisted by any third party of our choice to carry out, at the frequencies that we deem necessary, vulnerability audits or intrusion tests.
In any case, we undertake, in the event of a change in the means aimed at ensuring the security and confidentiality of personal data, to replace them with means of superior performance. No change can lead to a regression in the level of security.
In the event of subcontracting of part or all of the processing of personal data, we undertake to contractually impose security guarantees on our subcontractors by means of technical measures for the protection of this data. and the appropriate human resources.
Data Breach
In the event of a personal data breach, we undertake to notify the Cnil under the conditions prescribed by the GDPR.
If said breach poses a high risk to customers, partners and prospects and the data has not been protected, we will notify the persons concerned and provide them with the necessary information and recommendations.
9. CONTACTS
Data Protection Officer
We have appointed a data protection officer whose contact details are as follows: Me Eric Barby, Racine law firm, 40 rue de Courcelles, 75008 Paris, click here to send him a message.
In the event of new processing of personal data, we will contact the data protection officer beforehand.
If you wish to obtain specific information or ask a specific question, you can contact the data protection officer who will give you an answer within a reasonable time with regard to the question asked or the information required.
In the event of a problem encountered with the processing of your personal data, you can contact the designated data protection officer.
Right to lodge a complaint with the CNIL
Customers, partners and prospects concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the Cnil, if they consider that the processing of personal data personal data concerning them does not comply with European data protection regulations, at the following address:
- Cnil – Complaints department
3 Place de Fontenoy - TSA 80715 – 75334 PARIS CEDEX 07
Tel: +01 53 73 22 22
Evolution
This policy may be modified or amended at any time in the event of legal or jurisprudential developments, decisions and recommendations of the Cnil or practices.
Any new version of this policy will be brought to the attention of customers, prospects and partners by any means that we define, including electronically (dissemination by e-mail or online for example).
For more information
For any further information, you can contact the DPO.
For any other more general information on the protection of personal data, you can consult the CNIL website