GDPR privacy policy

Since May 25, 2018, a new European law has entered into force (General Data Protection Regulation) and helps protect your data.

Dispositions générales

Preamble

Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on data protection (hereinafter RGPD), sets the legal framework applicable to the processing of personal data. This text strengthens the rights and obligations of data controllers, subcontractors, data subjects and data recipients.

Subsequently, and to implement the modifications of the RGPD, the law n ° 78-17 of January 6, 1978 known as Informatique et Libertés was the subject of a modification by the law n ° 2018-493 of June 20, 2018 and by Ordinance No. 2018-1125 of 12 December 2018 relating to data protection.

This policy is implemented by the Grand Montauban Tourist Office (hereinafter referred to as the “body”), which has as its main activities the development of the tourist offer, the promotion of tourist destinations and the marketing of tourism. tourist offer of the city of Montauban.

As part of our activity, we process personal data relating to the data of our customers, partners and prospects. For a good understanding of this policy, it is specified that:

– customers are understood to be all natural or legal persons engaged under a contract of any kind with our organization, it being specified that the latter is intended to work with professional tourism customers or the general public;

– the partners are understood as all natural or legal persons intervening in the tourism sector and as such maintaining relations with our organization, such as in particular tourism professionals of the department, project promoters and internal and external investors, holiday distributors, local authorities and their groups or even institutional partners;

– prospects are understood as any potential customer or contact recipient of promotional messages from our organization whose data was collected directly via contact forms, events or indirectly via any partner of the organization.

Purpose and scope

This personal data protection policy is intended to apply in the context of the implementation of the processing of personal data of our customers, partners and prospects.

As such, the purpose of this policy is to meet the information obligation of our organization and thus to formalize the rights and obligations available to customers, partners and prospects with regard to the processing of their data.

This policy relates only to the processing operations for which we are responsible as well as to data qualified as “structured”.

The processing of personal data can be managed directly by our organization or through a subcontractor specifically designated by it.

This policy is independent of any other document that may apply within the contractual relationship between us and our customers, partners and prospects. We do not implement any processing of the data of our customers, partners and prospects if it does not relate to personal data collected by or for our services or processed in connection with our services and if it does not meet the principles general GDPR.

Any new treatment, modification or deletion of an existing treatment will be brought to the attention of customers, partners and prospects through a modification of this policy.

Les données des clients

Types of data collected

Non-technical data (depending on the use case)

– identity and identification (name, first name, date of birth, pseudo, customer number)

– contact details (email, postal address, telephone number) professional / personal life when necessary

Technical data (depending on the use case)

– identification data (IP address)

– connection data (logs, token in particular)

– acceptance data (click) location data

Origin of the data

We collect the data of our customers from:

– data provided by the customer (paper form, order form, contract, business card);

– electronic forms or forms completed by the client;

– data entered online (website, social networks, etc.);

– registration for events that we organize;

– databases shared between several partners, fed and operated by all of these partners;

– rental or acquisition of databases on an exceptional basis;

– communication of contacts through specialized companies or partners of our organization.

Purpose

Depending on the case, we process our customers’ data for the following purposes:

– customer relationship management ;

– sale of tourist stays directly or through distribution partners;

– management of organized events that we organize;

– sending newsletters or information feeds;

– management of customer accounts;

– improvement of our services;

– response to our administrative obligations;

– community management;

– production of statistics.

Retention periods

The retention period of our customers’ data is defined with regard to the legal and contractual constraints which weigh on us and failing this according to our needs and in particular according to the following principles:

Customer data: During the term of the contractual relationship, increased by 3 years for the purposes of animation and prospecting, without prejudice to retention obligations or limitation periods

Technical data: 1 year from collection

Cookies: See the cookies policy

After the set deadlines, the data is either deleted or kept after being anonymized, in particular for reasons of statistical use. They can be kept in the event of pre-litigation and litigation.

Customers are reminded that deletion or anonymization are irreversible operations and we are subsequently unable to restore them.

Legal basis

The processing operations that we implement under this policy are all legally based on the implementation of contractual or pre-contractual measures or, in certain cases, the consent of the customer (eg sending of commercial prospecting messages).

Les données des partenaires

Types of data collected

Non-technical data (depending on the use case):

identity and identification (name, first name, date of birth, nickname)
contact details (e-mail, postal address, telephone number)
professional life (function, job title, etc.)

Technical data (depending on the use case)

identification data (IP address)
connection data (logs, token in particular)
acceptance data (click)
location data
Origin of the data

We collect the data of our partners from:

information collected directly via partners, in particular via shared databases;
electronic forms or forms completed by partners;
registrations or subscriptions to our online services (newsletter, social networks).
Purpose

Depending on the case, we process our customers’ data for the following purposes:

management of the partner relationship;
labeling of sites and equipment for the sectors entrusted by the organization;
tourism engineering operations (diagnostics and feasibility studies, support for setting up projects and grant application files);
networking and consultation operations between the various partners;
marketing assistance operations for partner service providers;
management of the events we organize (trade fairs, workshops, etc.);
training operations for partner service providers;
research operations for distribution partners;
production of statistics.
Retention periods

The retention period of the data of our partners is defined with regard to the legal and contractual constraints which weigh on us and failing this according to our needs and in particular according to the following principles:

Customer data: During the term of the contractual relationship, increased by 3 years for the purpose of monitoring the relationship, without prejudice to retention obligations or limitation periods

Technical data: 1 year from collection

Cookies: See the cookies policy

After the set deadlines, the data is either deleted or kept after being anonymized, in particular for reasons of statistical use. They can be kept in the event of pre-litigation and litigation.

Partners are reminded that deletion or anonymization are irreversible operations and that we are no longer able to restore them thereafter.

Legal basis

The processing operations that we implement under this policy are all legally based on the implementation of contractual or pre-contractual measures.

Les données des prospects

Types of data collected

Non-technical data (depending on the use case):

identity and identification (name, first name, date of birth, nickname)
contact details (e-mail, postal address, telephone number)
professional life (function, job title, etc.)

Technical data (depending on the use case):

identification data (IP address)
connection data (logs, token in particular)
acceptance data (click)
location data
Origin of the data

We collect the data of our prospects from:

data provided by the prospect (paper form, business card, etc.);
electronic forms or forms completed by the prospect;
data entered online (website, social networks, etc.);
registration or subscription to our online services (website, social networks);
registration for events that we organize;
databases shared between several partners, fed and operated by all of these partners;
list provided by the organizers of events or conferences in which we participate;
rental of databases on an exceptional basis;
communication of contacts through specialized companies or partners.
Purpose

Depending on the case, we process the data of our prospects for the following purposes:

prospect relationship management;
management of the events we organize;
sending our newsletters or news feeds;
animation of websites in partnership with our partners;
operation to promote our organization and tourism in the city of Montauban on social networks (Facebook, Twitter, YouTube, Instagram, etc.)
behavioral analysis of prospects;
community management;
production of statistics.
Retention periods

The retention period of the data of our prospects is defined with regard to the legal and contractual constraints which weigh on us and failing this according to our needs and in particular according to the following principles:

Customer data: For 3 years from their collection or from the last contact from the prospect

Technical data: 1 year from collection

Cookies: See the cookies policy

After the set deadlines, the data is either deleted or kept after being anonymized, in particular for reasons of statistical use. They can be kept in the event of pre-litigation and litigation.

Prospects are reminded that deletion or anonymization are irreversible operations and that we are no longer able to restore them thereafter.

Legal basis

The purposes of processing prospects presented above are based on the following legality conditions:

execution of pre-contractual measures;
legitimate interest of our organization;
consent of the prospect when required by law (example concerning the sending of commercial prospecting messages).

Destinataires des données

We ensure that data is only accessible to authorized internal or external recipients and subject to an appropriate obligation of confidentiality.

Internally, we decide which recipient can have access to which data according to an authorization policy.

All access to processing relating to the personal data of customers, partners and prospects is subject to a traceability measure.

In addition, personal data may be communicated to any authority legally entitled to know it. In this case, we are not responsible for the conditions under which the personnel of these authorities have access to and use the data.

Internal recipients: Authorized staff within our structure (staff in charge of marketing, customer relationship management, service provider and prospect, administrative staff, staff in charge of IT) and their line managers.

External recipients:

Tourism partners who access the shared file in which the data may appear;
providers or support services;
authorized personnel of the services responsible for control (auditor, services responsible for internal control procedures, etc.);
administration, auxiliary of justice if necessary.

Droit des personnes

Right of access and copy

Customers, partners and prospects traditionally have a right to request confirmation whether or not data concerning them is being processed.

They also have a right to access their data, i.e. the right to obtain communication of all information relating to the processing of their personal data.

In such a case, the client, partner or prospect must formulate his request himself and there must be no doubt as to his identity. Otherwise, we reserve the right to request the communication of any element allowing its identification, such as in particular a copy of an identity document.

Customers, partners and prospects have the right to request a copy of their personal data which is subject to processing. However, in the event of a request for an additional copy, we may require the financial support of this cost by customers, partners and prospects.

If customers, partners and prospects submit their request for a copy of the data electronically, the information requested will be provided to them in a commonly used electronic form, unless requested otherwise.

Customers, partners and prospects are informed that this right of access cannot relate to information or data which is confidential or for which the law does not allow communication.

The right of access must not be exercised in an abusive manner, that is to say carried out on a regular basis for the sole purpose of destabilizing the service concerned.

Updating – updating and rectification

We meet update requests:

automatically for online changes to fields that technically or legally can be updated;
on written request from the person himself who must prove his identity.
Right to erasure

The right to erasure of customers, partners and prospects will not apply in cases where the processing is implemented to meet a legal obligation. Apart from this situation, customers, partners and prospects may request the erasure of their data in the following limiting cases:

personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
when the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
the data subject objects to processing necessary for the purposes of the legitimate interests pursued by us and there are no compelling legitimate grounds for the processing;
the data subject objects to the processing of their personal data for prospecting purposes, including profiling;
the personal data have been the subject of unlawful processing.
Right to limitation

Customers, partners and prospects are informed that this right is not intended to apply insofar as the processing operations that we carry out are lawful and that all the personal data collected are necessary for the implementation of the purposes of processing them.

Right to portability

We grant data portability requests in the particular case of data communicated by customers, partners and prospects themselves, on our online services and for purposes based solely on the consent of individuals and execution of a contract. In this case, the data is communicated to the requestor in a structured, commonly used and machine-readable format.

Automated individual decision

We do not make any automated individual decisions.

The tools offered on our website are only support tools for customers and prospects and should not be considered otherwise.

Post-mortem law

Customers, partners and prospects are informed that they have the right to formulate guidelines for the retention, erasure and communication of their post-mortem data.

Exercise of rights

The aforementioned rights are exercised, at the option of the interested party, by e-mail or by post to the following contact details: dpo-otdemontauban@racine.eu

Dispositions complémentaires

Optional or mandatory nature of responses

Customers, partners and prospects are informed of the mandatory or optional nature of the responses by the presence of an asterisk on each personal data collection form submitted to it. In the event that answers are required, we explain to them the consequences of not responding.

Right of use

Our organization is granted by its customers, prospects and partners a right to use and process their personal data for the purposes set out above.

However, the enriched data which is the result of processing and analysis work on our part, otherwise called enriched data, remains our exclusive property (usage analysis, statistics, etc.).

Subcontracting

We inform you that we can involve any subcontractor of our choice as part of the processing of your personal data. In this case, we ensure that the subcontractor complies with its obligations under the GDPR.

We undertake to sign a written contract with all our subcontractors and impose on subcontractors the same data protection obligations as itself. In addition, we reserve the right to audit our subcontractors to ensure compliance with the provisions of the GDPR.

Cross-border flows

Our organization reserves the sole choice of whether or not to have cross-border flows for the personal data it processes.

In the event of transfer of personal data to a country outside the European Union or to an international organization, we will inform you and ensure that your rights are respected. If necessary, we undertake to sign one or more contracts to regulate cross-border data flows.

The provisions relating to cross-border flows are enforceable against us, except in the exceptional cases provided for in Article 49 of the GDPR.

Processing register

As data controller, we are committed to keeping an up-to-date record of all processing activities carried out.

This register is a document or application making it possible to identify all the processing operations that we carry out as data controller.

We undertake to provide the supervisory authority, at first request, with information enabling the said authority to verify the compliance of processing with the IT regulations and freedoms in force.

Sécurité

Security measures

It is our responsibility to define and implement the technical security measures, physical or logical, that we consider appropriate to fight against the destruction, loss, alteration or unauthorized disclosure of data accidentally or unlawfully.

To do this, we may enlist the assistance of any third party of our choice to carry out, at the frequencies that we deem necessary, vulnerability audits or intrusion tests.

In any event, we undertake, in the event of a change in the means aimed at ensuring the security and confidentiality of personal data, to replace them with means of superior performance. No change can lead to a decrease in the level of security.

In the event of subcontracting of part or all of the processing of personal data, we undertake to contractually impose on our subcontractors security guarantees by means of technical measures to protect this data. and the appropriate human resources.

Data breach

In the event of a personal data breach, we undertake to notify the CNIL under the conditions prescribed by the GDPR.

If the said breach poses a high risk to customers, partners and prospects and the data has not been protected, we will notify the persons concerned and provide them with the necessary information and recommendations.

Contacts

Data protection officer

We have appointed a data protection officer whose contact details are as follows: Me Eric Barby, Racine law firm, 40 rue de Courcelles, 75008 Paris, dpo-otdemontauban@racine.eu.

In the event of new processing of personal data, we will first contact the data protection officer.

If you wish to obtain specific information or ask a particular question, you can refer to the data protection officer who will give you an answer within a reasonable time with regard to the question asked or the information required.

In the event of a problem encountered with the processing of your personal data, you can contact the designated data protection officer.

Right to lodge a complaint with the CNIL

Customers, partners and prospects concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the CNIL, if they consider that the processing of personal data personnel concerning them does not comply with European data protection regulations, at the following address:

Cnil – Complaints Department

3 Place de Fontenoy- TSA 80715 – 75334 PARIS CEDEX 07

Phone: 01 53 73 22 22

Evolution

This policy may be modified or amended at any time in the event of legal or jurisprudential changes in the decisions and recommendations of the CNIL or in practice.

Any new version of this policy will be brought to the attention of customers, prospects and partners by any means that we define, including by electronic means (distribution by email or online for example).

For more information

For any further information, you can contact the DPO at the aforementioned address, in this case dpo-otdemontauban@racine.eu.

For any other more general information on the protection of personal data, you can consult the Cnil website www.cnil.fr.