Preamble
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on data protection (hereinafter RGPD), sets the legal framework applicable to the processing of personal data. This text strengthens the rights and obligations of data controllers, data processors, data subjects and data recipients.
Subsequently, and in order to implement the modifications of the RGPD, the law n°78-17 of January 6, 1978, known as the Data Protection Act, was amended by the law n°2018-493 of June 20, 2018 and by the ordinance n°2018-1125 of December 12, 2018 relating to data protection.
This policy is implemented by the Grand Montauban Tourist Office (hereinafter referred to as “the organization”), whose main activities are the development of the tourist offer, the promotion of tourist destinations and the marketing of the tourist offer of the city of Montauban.
Within the framework of our activity, we implement personal data processing relating to the data of our customers, partners and prospects. For a good understanding of the present policy, it is specified that :
– the customers are understood as all physical or moral persons engaged under a contract of some nature that it is with our organization, being specified that this one has vocation to work with customers professionals of tourism or the general public;
– partners are understood to be all natural or legal persons involved in the tourism sector and maintaining relations with our organization, such as tourism professionals in the department, project leaders and internal and external investors, holiday distributors, local authorities and their groups or institutional partners;
– Prospects are understood as any potential customer or any contact recipient of promotional messages from our organization whose data was collected directly via contact forms, events or indirectly via any partner of the organization.
Purpose and Scope
This privacy policy is intended to apply in the context of the implementation of the processing of personal data of our customers, partners and prospects.
As such, the purpose of this policy is to satisfy our organization’s obligation to provide information and thus to formalize the rights and obligations of customers, partners and prospects with regard to the processing of their data.
This policy only covers the processing for which we are responsible as well as the data qualified as “structured”.
The processing of personal data may be managed directly by our organization or through a subcontractor specifically appointed by it.
This policy is independent of any other document that may apply within the contractual relationship between us and our customers, partners and prospects. We do not process data of our customers, partners and prospects if it does not relate to personal data collected by or for our services or processed in connection with our services and if it does not comply with the general principles of the GDPR.
Any new processing, modification or deletion of existing processing will be made known to customers, partners and prospects by means of an amendment to this policy.
Types of data collected
Non-technical data (depending on use cases)
– Identity and identification (last name, first name, date of birth, nickname, customer number)
– contact information (email, postal address, phone number) professional / personal life when necessary
Technical data (depending on use cases)
– identification data (IP address)
– connection data (logs, token in particular)
– acceptance data (click) location data
Origin of data
We collect our customers’ data from:
– data provided by the customer (paper form, order form, contract, business card) ;
– electronic forms or forms filled out by the customer;
– data entered online (website, social networks, …);
– registration to events that we organize;
– databases shared between several partners, fed and exploited by all these partners;
– rental or acquisition of databases on an exceptional basis;
– communication of contacts through specialized companies or partners of our organization.
Finalities
Depending on the case, we process our clients’ data for the following purposes:
– customer relationship management;
– sale of tourist stays directly or via distribution partners;
– management of the events we organize;
– sending newsletters or information feeds;
– management of customer accounts;
– improving our services;
– meeting our administrative obligations;
– community management;
– performing statistics.
Storage periods
The duration of the retention of our customers’ data is defined with regard to the legal and contractual constraints on us and, failing that, according to our needs and in particular according to the following principles:
Customer data: For the duration of the contractual relationship, increased by 3 years for animation and canvassing purposes, without prejudice to retention obligations or limitation periods
Technical data: 1 year from the date of collection
Cookies: See the cookies policy
After the set deadlines, the data are either deleted or kept after being anonymized, particularly for statistical purposes. They may be kept in case of pre-litigation and litigation.
Customers are reminded that deletion or anonymization are irreversible operations and we are not, thereafter, able to restore them.
Legal basis
The processing that we implement under this policy are all legally based on the implementation of contractual or pre-contractual measures or, in some cases, the consent of the customer (e.g.: sending commercial prospecting messages).
Types of data collected
Non-technical data (depending on use cases):
- identity and identification (last name, first name, date of birth, screen name)
- contact information (email, mailing address, phone number)
- work life (position, job title, etc.)
Technical data (depending on use cases)
- identification data (IP address)
- connection data (logs, token in particular)
- acceptance data (click)
- location data
Origin of data
We collect data from our partners from:
- information collected directly via partners, including via shared databases;
- electronic forms or forms completed by partners;
- registrations or subscriptions to our online services (newsletter, social networks).
Finalities
Depending on the case, we process our customers’ data for the following purposes:
- partner relationship management;
- labeling of sites and equipment for the channels entrusted by the organization;
- tourism engineering operations (diagnoses and feasibility studies, support for the development of projects and grant application files);
- operations of networking and consultation of different partners;
- operations to assist in the marketing of partner providers;
- management of the events we organize (trade shows, workshops, etc.);
- training operations for partner providers;
- operations of research of distribution partners;
- realisation of statistics.
Storage periods
The duration of the retention of our partners’ data is defined in light of the legal and contractual constraints on us and, failing that, according to our needs and in particular according to the following principles:
Customer data: For the duration of the contractual relationship, increased by 3 years for the purpose of monitoring the relationship, without prejudice to retention obligations or limitation periods
Technical data : 1 year from the date of collection
Cookies : See the cookies policy
After the set deadlines, the data are either deleted or kept after being anonymized, particularly for statistical purposes. They may be kept in case of pre-litigation and litigation.
Partners are reminded that deletion or anonymization are irreversible operations and that we are no longer, thereafter, able to restore them.
Legal basis
The processing that we implement under this policy are all legally based on the implementation of contractual or pre-contractual measures.
Types of data collected
Non-technical data (depending on use cases):
- identity and identification (last name, first name, date of birth, screen name)
- contact information (email, mailing address, phone number)
- work life (position, job title, etc.)
Technical data (depending on use cases):
- identification data (IP address)
- connection data (logs, token in particular)
- acceptance data (click)
- location data
Origin of data
We collect our prospects’ data from:
- data provided by the prospect (paper form, business card, …);
- electronic forms or forms filled out by the prospect;
- data entered online (website, social networks, …);
- registration or subscription to our online services (website, social networks);
- registration to events that we organize;
- databases shared between several partners, fed and operated by all of these partners;
- list communicated by the organizers of events or conferences in which we participate;
- database rental on an exceptional basis;
- communication of contacts through specialized companies or partners.
Finalities
Depending on the case, we process our prospects’ data for the following purposes:
- managing the prospect relationship;
- managing the events we organize;
- sending our newsletters or news feeds;
- animation of websites in partnership with our partners;
- operation of promotion of our organization and tourism in the city of Montauban on social networks (Facebook, Twitter, YouTube, Instagram, …)
- behavioral analysis of prospects;
- community management;
- realisation of statistics;
Retention periods
The duration of the retention of our prospects’ data is defined with regard to the legal and contractual constraints that weigh on us and failing that according to our needs and in particular according to the following principles:
Customer data: For 3 years from the date of collection or the last contact from the prospect
Technical data: 1 year from its collection
Cookies: See cookie policy
After the set deadlines, the data are either deleted or kept after being anonymized, particularly for statistical purposes. They may be kept in case of pre-litigation and litigation.
Prospects are reminded that deletion or anonymization are irreversible operations and that we are no longer, thereafter, able to restore them.
Legal basis
The purposes for processing leads presented above are based on the following lawfulness requirements:
- execution of pre-contractual measures;
- legitimate interest of our organization;
- consent of the prospect when required by law (e.g. with regard to the sending of commercial prospecting messages).
We ensure that data is only accessible to authorized internal or external recipients who are subject to an appropriate obligation of confidentiality.
Internally, we decide which recipient will have access to which data based on an empowerment policy.
All accesses concerning processing of personal data of customers, partners and prospects are subject to a traceability measure.
Furthermore, personal data may be communicated to any authority legally entitled to know about it. In this case, we are not responsible for the conditions under which the personnel of these authorities have access to and use the data.
Internal recipients: Authorized personnel within our structure (personnel in charge of marketing, customer relationship management, service provider and prospect, administrative personnel, personnel in charge of IT) and their line managers.
External recipients:
- Tourist partners who access the shared file in which the data may appear;
- support providers or services;
- authorized personnel of the services in charge of control (auditor, services in charge of internal control procedures, etc.);
- administration, court officer if applicable.
Right of access and copy
Customers, partners and prospects traditionally have a right to request confirmation as to whether or not data about them is being processed.
They also have a right of access to their data, i.e. the right to obtain communication of all information relating to the processing of their personal data.
In such a case, the client, partner or prospect must formulate his request himself and there must be no doubt as to his identity. Otherwise, we reserve the right to request the communication of any element allowing its identification, such as in particular the copy of an identity document.
Customers, partners and prospects have the right to request a copy of their personal data being processed. However, in the event of a request for an additional copy, we may require that customers, partners and prospects pay for this cost.
If customers, partners and prospects submit their request for a copy of the data electronically, the requested information will be provided to them in a commonly used electronic form, unless otherwise requested.
Customers, partners and prospective customers are informed that this right of access may not relate to confidential information or data, or to information which may not be disclosed by law.
The right of access must not be exercised in an abusive manner, i.e. carried out on a regular basis with the sole purpose of destabilizing the service concerned.
Update – update and rectification
We comply with requests for updates:
- automatically for online changes to fields that technically or legally can be updated;
- upon written request from the person themselves who must provide proof of identity.
Right to erasure
The right to erasure of customers, partners and prospects will not be applicable in cases where the processing is implemented to meet a legal obligation. Outside of this situation, customers, partners and prospects will be able to request the deletion of their data in the following limited cases:
- the personal data is no longer necessary with regard to the purposes for which it was collected or otherwise processed;
- when the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
- the data subject objects to processing necessary for the purposes of the legitimate interests we pursue and there is no compelling legitimate reason for the processing;
- the data subject objects to processing of his or her personal data for the purpose of canvassing, including profiling;
- the personal data have been processed unlawfully.
Right to limitation
Customers, partners and prospects are informed that this right is not intended to apply insofar as the processing that we implement is lawful and that all personal data collected is necessary for the implementation of the purposes of the processing thereof.
Right to portability
We grant requests for data portability in the particular case of data provided by customers, partners and prospects themselves, on our online services and for purposes based solely on the consents of individuals and performance of a contract. In this case, the data is provided to the applicant in a structured, commonly used and machine-readable format.
Automated individual decision
We do not make any automated individual decisions.
The tools offered on our website are only tools to assist customers and prospects and should not be considered otherwise.
Post Mortem Rights
Customers, partners and prospects are informed that they have the right to formulate directives regarding the retention, deletion and communication of their post-mortem data.
Exercise of Rights
The exercise of the aforementioned rights is carried out, at the choice of the interested party, by e-mail or by post to the following address: dpo-otdemontauban@racine.eu
Optional or mandatory nature of responses
Customers, partners and prospects are informed of the mandatory or optional nature of responses by the presence of an asterisk on each personal data collection form submitted to them. In the event that responses are mandatory, we explain to them the consequences of not responding.
Right to use
Our organization is granted by its customers, prospects and partners a right to use and process their personal data for the purposes set out above.
However, the enriched data that is the result of processing and analysis work on our part, otherwise known as the enriched data, remains our exclusive property (usage analysis, statistics, etc.).
Subcontracting
We inform you that we may involve any subcontractor of our choice in the processing of your personal data. In this case, we will ensure that the subcontractor complies with its obligations under the GDPR.
We undertake to sign a written contract with all our subcontractors and impose the same data protection obligations on the subcontractors as ourselves. In addition, we reserve the right to audit our processors to ensure compliance with the provisions of the GDPR.
Transborder Flows
Our organization reserves the sole choice of whether or not to have transborder flows for the personal data it processes.
In case of transfer of personal data to a country outside the European Union or to an international organization, we will inform you and ensure that your rights are properly respected. If necessary, we will sign one or more contracts to govern transborder data flows.
The provisions relating to cross-border flows are enforceable against us, except in the derogatory cases provided for in Article 49 of the GDPR.
Register of processing
As a data controller, we undertake to keep an up-to-date record of all processing activities carried out.
This register is a document or application to identify all processing activities that we implement as a controller.
We undertake to provide the supervisory authority, on first request, with information enabling the said authority to verify the compliance of the processing with the data protection regulations in force.
Security Measures
It is our responsibility to identify and implement the technical security measures, physical or logical, that we deem appropriate to combat accidental or unlawful destruction, loss, alteration or unauthorized disclosure of data.
To this end, we may engage the assistance of any third party of our choice to conduct vulnerability audits or penetration tests at such intervals as we deem necessary.
In any event, we undertake, in the event of a change in the means of ensuring the security and confidentiality of personal data, to replace them with means of superior performance. No change may lead to a reduction in the level of security.
In the event of subcontracting part or all of a personal data processing, we undertake to contractually impose on our subcontractors security guarantees through technical measures to protect such data and the appropriate human resources.
Data Breach
In the event of a personal data breach, we undertake to notify the Cnil in the conditions prescribed by the RGPD.
If the said breach poses a high risk to customers, partners and prospects and the data has not been protected, we will notify the persons concerned and provide them with the necessary information and recommendations.
Data Protection Officer
We have appointed a data protection delegate whose contact details are as follows: Me Eric Barby, Racine law firm, 40 rue de Courcelles, 75008 Paris, dpo-otdemontauban@racine.eu.
In the event of new processing of personal data, we will refer to the data protection officer beforehand.
If you wish to obtain specific information or ask a specific question, you can contact the data protection officer who will give you an answer within a reasonable timeframe with regard to the question asked or the information required.
In the event of a problem encountered with the processing of your personal data, you may refer the matter to the designated data protection officer.
Right to file a complaint with the Cnil
Customers, partners and prospects concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the Cnil, if they consider that the processing of personal data concerning them does not comply with the European data protection regulations, at the following address:
Cnil – Complaints Department
3 Place de Fontenoy- TSA 80715 – 75334 PARIS CEDEX 07
Tel : 01 53 73 22 22
Changes
This policy may be modified or amended at any time in the event of legal or jurisprudential developments, decisions and recommendations of the Cnil, or practices.
Any new version of this policy will be brought to the attention of customers, prospects and partners by any means we define, including electronically (broadcast by email or online for example).
For more information
For any additional information, you can contact the DPO at the above address, in this case dpo-otdemontauban@racine.eu.
For any other more general information on the protection of personal data, you can consult the Cnil website www.cnil.fr.