POLICY FOR THE PROTECTION OF CLIENTS’, PROSPECTS’ AND PARTNERS’ DATA
1- General provisions
Introduction
The EU Regulation 2016/679 from the European Parliament and Council on 27th April 2016 relating to data protection (hereinafter RGPD) created the legal framework applicable to the processing of personal data. The text reinforces the rights and obligations of those responsible for data processing, of subcontractors, of people involved and of the recipients of the data.
Subsequently and so as to put in place modifications to the RGPD, law 78-17 of 6th January 1978 (known as Information Technology and Freedoms) was modified by law 2018-493 of 20th June 2018 and by regulation 2018-1125 of 12th December 2018 relating to data protection.
The policy below has been adopted by Charentes Tourisme (hereinafter known as “the organisation”) whose main activities are the development of tourism, the promotion of tourism destinations and the marketing of the territories of Charente and Charente-Maritime.
In the course of our activity, we put in place processing of data of a personal nature relating to the data of our clients, partners and prospects. To be clear:
- the term “clients” includes any person or legal entity committed by a contract of whatsoever nature to our organisation, bearing in mind that the role of the organisation is to work with clients who are tourism professionals or the public at large;
- the term “partners” includes any person or legal entity in the tourism sector maintaining in this respect relations with our organisation such as departmental tourism professionals, project promoters and internal and external investors, tour operators, local authorities and their associations or institutional partners;
- the term “prospects” includes any potential client or any contact receiving promotional messages from our organisation whose data have been collected directly via contact forms, at events or indirectly via any partner of the organisation.
Purpose and scope
The current policy of protection of data of a personal nature is intended as the framework for implementation of the processing of data of a personal nature of our clients, partners and prospects.
Thus, the purpose of the policy is to satisfy the obligation for information by our organisation and to formalise the rights and obligations that our clients, partners and prospects have in relation to their data.
The policy relates only to data for which we are responsible as well as data identified as “structured”;
Processing data of a personal nature may be managed directly by our organisation or through a subcontractor specifically appointed by us.
This policy is independent of any other document that may be applied to the contractual relationship that links us to our clients, partners and prospects. No processing of data provided by our clients, partners and prospects takes place if it does not relate to data of a personal nature collected by or for our services or processed with our services and if it does not meet the general principles of the RGPD.
Any new processing, modification or suppression of existing processing shall be brought to the attention of our clients, partners and prospects by means of the modification of this policy.
2- Clients’ data
Types of data collected
Non-technical data
(according to usage) |
|
Technical data
(according to usage) |
|
Origin of data
We collect clients’ data from:
- data provided by the client (paper forms, orders, contracts, visiting cards);
- electronic forms completed by the client;
- data collected online (websites, social media…);
- registration at events that we organise;
- data bases pooled between several partners, supplied and exploited by these partners;
- exceptionally renting or acquisition of databases;
- communication of contacts through specialist businesses or partners of our organisation.
Purposes
Depending on the case, we process clients’ data for the following purposes:
- management of client relationships;
- sale of holidays directly or via tour operator partners;
- management of events that we organise;
- sending of newsletters or news feeds;
- management of client accounts;
- improvement of our services;
- meeting our administrative obligations;
- community management;
- creation of statistics.
Retention periods
The retention period for our clients’ data is defined according to legal and contractual constraints and by default in respect of our needs and especially according to the following principles:
Process | Period of retention |
Data relating to clients | For the duration of the contractual relationship, increased by 3 years for the purposes of prospection and activities without prejudice to the obligations of retention and limitation periods |
Technical data | 1 year from the date of collection |
Cookies | 13 month |
Once past these fixed periods, data are either deleted or retained after being anonymised, notably for statistical purposes. They may be retained in case of claims or litigation.
Clients are reminded that deletion and anonymisation of data are irreversible and we are thus not in a position to restore them.
Legal basis
Processing in respect of this policy is undertaken on the legal basis of implementation of contractual or precontractual measures or, in certain cases, the consent of the client (e.g.: despatch of commercial prospection messages).
3- Partners’ data
Types of data collected
Non-technical data (according to usage) |
|
Technical data (according to usage) |
|
Origin of data
We collect partners’ data from:
- information provided directly by the partner;
- electronic forms completed by the partner;
- registration or subscription to our online services (newsletter, social media).
Purposes
Depending on the case, we process partners’ data for the following purposes:
- management of partner relationships;
- labelling of sites and facilities for procedures transferred by the organisation;
- technical tourism operations (diagnostics and feasibility studies, support for setting up projects and requests for financial subsidy)
- networking operations and consultation with different partners;
- assisting our service partners with marketing;
- management of events that we organise (salons, workshops etc);
- training operations with our service partners;
- research operations with our distributor partners;
- creation of statistics.
Retention periods
The retention period for our partners’ data is defined according to legal and contractual constraints and by default in respect of our needs and especially according to the following principles:
Process | Period of retention |
Data relating to clients | For the duration of the contractual relationship, increased by 3 years for the purposes of monitoring the relationship without prejudice to the obligations of retention and limitation periods |
Technical data | 1 year from the date of collection |
Cookies | 13 month |
Once past these periods, data are either deleted or retained after being anonymised, notably for statistical purposes. They may be retained in case of claims or litigation.
Partners are reminded that deletion and anonymisation of data are irreversible and we are thus not in a position to restore them.
Legal basis
Processing in respect of this policy is undertaken on the legal basis of implementation of contractual or precontractual measures.
4- Prospects’ data
Types of data collected
non-technical data
(according to usage) |
|
Technical data
(according to usage) |
|
Origin of data
We collect prospects’ data from:
- data provided by the prospect (paper forms, visiting cards);
- electronic forms completed by the client;
- data collected on line (websites, social media…);
- registration or subscription to our online services (website, social media);
- registration at events that we organise;
- data bases pooled between several partners, supplied and exploited by these partners;
- lists provided by organisers of events or conventions that we participate in;
- exceptionally renting databases;
- communication of contacts through specialist businesses or partners.
Purposes
Depending on the case, we process prospects’ data for the following purposes:
- management of prospect relationships;
- management of events that we organise;
- despatch of newsletters or newsfeeds;
- activation of internet sites in partnership with our partners;
- promotional operations of our organisation and tourism in Charentes on social media (Facebook, Twitter, YouTube, Instagram …);
- behavioural analysis of prospects;
- community management;
- creation of statistics.
Retention periods
The retention period for our prospects’ data is defined according to legal and contractual constraints and by default in respect of our needs and especially according to the following principles:
Process | Period of retention |
Data relating to clients | 3 years from date of collection or from the last contact from the prospect |
Technical data | 1 year from the date of collection |
Cookies | 13 month |
Once past these periods, data are either deleted or retained after being anonymised, notably for statistical purposes. They may be retained in case of claims or litigation.
Partners are reminded that deletion and anonymisation of data are irreversible and we are thus not in a position to restore them.
Legal basis
The purposes of prospects’ processing shown above are based on the following conditions of legality:
- performance of precontractual measures;
- legitimate interest of our organisation;
- consent of the prospect when the law requires it (e.g. sending messages of commercial prospection).
5- Data recipients
We undertake that data are only accessible to authorised internal or external recipients subject to an appropriate obligation of confidentiality. We decide which internal recipient may have access to particular date according to an accreditation policy.
Any access concerning processing of clients’, partners’ or prospects’ personal data is traceable.
Furthermore, data of a personal nature may be communicated to any legally accredited authority. In this event, we are not responsible for the conditions in which the personnel of such bodies may access and exploit the data.
Internal recipients | External recipient |
Accredited personnel in our organisation (staff in charge of marketing, management of the relationship with clients, service providers and prospects, administrative personnel and staff in charge of information technology) and their hierarchical managers. |
|
6- Rights of individuals
Rights of access and copying
Clients, partners and prospects traditionally have the right to request confirmation of whether data concerning them are or are not processed.
They equally have a right of access to their data, i.e. the right to have the totality of information relating to their data of a personal nature communicated to them.
In such a case, the client, partner or prospect must make the request and there must be no doubt as to his/her identity. Failing that, we reserve the right to require the communication of any element that enables identification, notably the copy of an ID card or similar document.
Clients, partners and prospects have the right to request a copy of data of a personal nature that have been processed. However, in the case of requests for extra copies, we may require that the cost be charged to our clients, partners and prospects.
If clients, partners and prospects make their request for provision of data by electronic means, the requested information will be sent by an appropriate electronic means, unless requested otherwise.
Clients, partners and prospects are advised that this right of access does not extend to confidential data or information or to those that are not authorised by law.
The right of access must not be exercised in an abusive manner, that is to say in a regular manner where the sole aim is to destabilise the department in question.
Updating – updating and rectification
We satisfy requests for updating:
- automatically for online modifications of fields that can technically or legally be updated;
- on written request from the person concerned whose identity must be proven.
Right to deletion
Clients’, partners’ and prospects’ right to deletion will not be applicable where the processing is in place to satisfy a legal requirement. Otherwise, clients, partners and prospects may request the deletion of their data in the following limited cases:
- data of a personal nature no longer necessary for the purposes for which they were collected or processed in a different way;
- when the person concerned withdraws consent on which the processing is based and there is no other legal basis for the processing;
- the person concerned is opposed to the processing of data for legitimate purposes that we are undertaking and that there is no overriding legitimate reason for the processing;
- the person concerned is opposed to the processing of his/her data of a personal nature for prospection and profiling purposes;
- data of a personal nature have been the subject of illegal processing.
Right to limitation
Clients, partners and prospects are advised that this right does not apply in that the processing we put in place is legal and that all the data of a personal nature that are collected are necessary for this purpose.
Right to portability
We accede to requests for portability of data in the particular case of data communicated by clients, partners and prospects themselves for our online services and for purposes that rely on the sole consent of persons and performance of a contract. In this case, data are communicated to the applicant in a structured format that is in current use and machine-readable.
Automated individual decisions
We do not carry out any automated individual decisions.
The tools available on our website are just support tools for clients and prospects and may not be considered otherwise.
Post-mortem rights
Clients, partners and prospects are advised that they have the right to express guidelines concerning the conservation, deletion and communication of their data post-mortem.
Exercice of rights
The exercise of the above rights may be made, at the choice of the individual, by email or post to the following address: dpo-charentes.tourisme@racine.eu.
7- Additional provisions
Optional or compulsory nature of responses
Clients, partners and prospects are advised of the optional or compulsory nature of responses by the presence of an asterisk on each form that is used for the collection of data of a personal nature. Where responses are compulsory, we explain the consequences of an absence of response.
Right of utilisation
Our organisation is assigned a right of utilisation by our clients, prospects and partners to process their data of a personal nature for the purposes shown above.
However, enhanced data that are the result of processing or analysis by us, otherwise known as enhanced data, remain our exclusive property (usage analysis, statistics etc).
Subcontracting
We hereby advise you that we may request the intervention of a subcontractor of our choice to process your data of a personal nature. In this event, we undertake that the subcontractor respects the obligations imposed by the RGPD.
We undertake to sign a written contact with all our subcontractors and impose on them the same conditions in respect of data protection as ourselves. Furthermore we reserve the right to undertake an audit of our subcontractors to ensure that the dispositions of the RGPD are being met.
Cross-border flows
Our organisation reserves the sole right to choose whether or not to have cross-border flows for the processing of data of a personal nature.
In the event of data of a personal nature being transferred to a third country in the European Union or to an international organisation we shall inform you and ensure that your rights are fully respected. We undertake, if necessary, to sign one or more contracts that allow the cross-border flow of data.
Dispositions relating to cross-border flows are enforceable except in cases that permit a derogation in application of article 49 of the RGPD.
Processing register
As a data processing manager, we undertake to maintain and update a register of all the processing activities undertaken.
This register is a document or application enabling the identification of all the processing that we put in place as processing managers.
We hereby undertake to provide to the supervisory authority, in the first instance, the information enabling the said authority to verify the conformity of our processing to the data processing and civil liberties regulations in force.
8- Security
Security measures
It is our responsibility to put in place technical measures of security whether physical or software that we consider appropriate to combat the destruction, loss, alteration or unauthorised disclosure of data whether accidentally or illegally.
To achieve this, we may be assisted by any third party of our choice to proceed to audits of vulnerability or penetration tests at the frequency we consider necessary.
In any event, should the means ensuring the security and confidentiality of data of a personal nature be changed, we undertake to replace them with means of a superior performance. No development will result in the level of security being decreased.
In the case of subcontracting the processing of a part or the whole of data of a personal nature, we undertake to impose on our subcontractors contractual guarantees of security by means of technical measure to protect the data and the human resources necessary.
Data breaches
In the event of a breach of data of a personal nature, we undertake to notify the CNIL in the procedure outlined by the RGPD.
If the said breach poses a high risk for clients, partners and prospects and if the data have not been protected, we shall advise the persons concerned and communicate the information and recommendations necessary.
9- Contacts
Data protection representative
We have appointed a data protection representative whose address is: dpo-charentes.tourisme@racine.eu.
In the event of new processing of data of a personal nature, we first contact the data protection representative.
If you wish to obtain a specific item of information or ask a particular question, you may contact the data protection representative who will respond within a reasonable period of time in respect of the question asked or the information sought.
In the event of a problem encountered with the processing of your data of a personal nature, you may contact the data protection representative.
Right to make a complaint to the CNIL
Clients, partners and prospects concerned by the processing of their data of a personal nature are advised of their right to make a complaint to the supervisory authority, the CNIL, if they believe that the processing of data of a personal nature that concerns them is not in conformity with the European regulations for data protection:
Cnil – Service des plaintes
3 Place de Fontenoy- TSA 80715 – 75334 PARIS CEDEX 07
Tél : 01 53 73 22 22
Developments
This policy may be modified or updated at any time in the event of legal developments, recommendations by the CNIL or usage.
Any such new version of the policy shall be brought to the attention of clients, partners and prospects by an appropriate means including electronically (for example dissemination by email or online).
Further information
For further information, you may contact the DPO at this address:dpo-charentes.tourisme@racine.eu.
For further, more general information on data protection, consult the site of the CNIL: www.cnil.fr.