Famille faisant un jeu de piste dans le Massif des Vosges
Discover The Vosges mountains Back

Data protection policy

Data protection policy for customers, partners and prospective customers

1.General provisions

Background

 

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data (hereafter GDPR) sets out the legal framework for the processing of personal data. This text reinforces the rights and obligations of controllers, processors, data subjects and recipients.

 

Following the passage of this regulation, and to implement the changes brought in by the GDPR, French law no. 78-17 of 6 January 1978, known as the “data freedoms” law, was amended by law no. 2018-493 of 20 June 2018 and by order no. 2018-1125 of 12 December 2018 on data protection.

 

This is the policy operated by Alsace Destination Tourisme (hereafter “the organisation”), whose main activities are to support local bodies and through them develop provisions for tourism and tourist services; to market products and services for tourists through Destination Alsace and to promote and communicate on behalf of tourist destinations, principally working through the “Visit Alsace”, “Alsace à Vélo”, “Alsace Terre de Châteaux forts”, “Les coups de cœur de Liesel” and “Massif des Vosges” brands.

 

In the course of our operations, we process personal data belonging to our customers, partners and prospective customers. The following definitions are provided to assist in the comprehension of this policy:

 

 

Object and scope

 

This data protection policy will apply to the processing carried out on the personal data of our customers, partners and prospective customers.

 

Consequently, the object of the policy is to fulfil our organisation’s duty to provide information, and in doing so to formally set out the rights and obligations of our customers, partners and prospective customers as regards the processing of their data.

 

This policy only covers the processing for which we are responsible, and only covers data which is classified as “structured”.

 

The processing of personal data may be managed directly by our organisation or via a processor that we specifically designate.

 

This policy stands independently of any other document that may apply within the contractual relationship that we have with our customers, partners and prospective customers.

We will not undertake any processing of our customers’, partners’ or prospective customers’ data if it is not carried out on personal data collected by or for our organisation or processed in conjunction with our organisation, and if it does not comply with the general principles of the GDPR.

 

We will make our customers, partners and prospective customers aware of any new processing, change to processing or cessation of existing processing by amending this policy.

2. Customer data

Types of data collected

 

Non-technical data (as required by the usage)

Technical data (as required by the usage)

Origin of data

 

We collect our customers’ data from:

 

 

Purposes

 

As appropriate to the situation, we process our customers’ data for the following purposes:

 

Retention periods

The retention period for our customers’ data is defined in accordance with the legal and contractual constraints by which we are bound and, in the absence of these, according to our needs, based among others on the following principles:

Processing  -  Retention period
Customer data  :  For the duration of the contractual relationship, and then for an additional three years afterwards for community management and sales development purposes, without prejudice to retention obligations or limitation periods.
Technical data  :  1 year from the collection date
Cookies : 13 months
 

Once the periods set have expired, data is either deleted, or anonymised and then retained, in particular for statistical purposes. It can also be retained if a dispute is foreseen or in progress.

 

Customers are reminded that deleting and anonymising data are irreversible operations. Once they have been completed, the data cannot be restored.

 

Lawful basis

All the processing operations that we carry out under this policy have as a lawful basis the performance of a contract, including entering into the contract, or, in certain cases, customer consent (e.g. to send direct marketing messages).

3. Partner data

 

Types of data collected

 

Non-technical data (as required by the usage)

Technical data (as required by the usage)

Origin of data

 

We collect our partners’ data from:

                                                                                                                                                                              

Purposes

 

As appropriate to the situation, we process our partners’ data for the following purposes:

 

Retention periods

 

The retention period for our partners’ data is defined in accordance with the legal and contractual constraints by which we are bound and, in the absence of these, according to our needs, based among others on the following principles:

 

Processing - Retention period
Partner data : For the duration of the contractual relationship, and then for an additional three years afterwards for the purpose of following up the relationship, without prejudice to retention obligations or limitation periods.
Technical data : 1 year from the collection date
Cookies : 13 months
 

Once the periods set have expired, data is either deleted, or anonymised and then retained, in particular for statistical purposes. It can also be retained if a dispute is foreseen or in progress.

 

Partners are reminded that deleting and anonymising data are irreversible operations. Once they have been completed, the data cannot be restored.

 

Lawful basis

 

All the processing operations that we carry out under this policy have as a lawful basis:

 

4. Prospective customer data

 

Types of data collected

 

Non-technical data (as required by the usage)

Technical data (as required by the usage)

Origin of data

 

We collect prospective customers’ data from:

 

Purposes

 

As appropriate to the situation, we process our prospective customers’ data for the following purposes:

 

Retention periods

 

The retention period for our prospective customers’ data is defined in accordance with the legal and contractual constraints by which we are bound and, in the absence of these, according to our needs, based among others on the following principles:

Processing - Retention period
Prospective customer data : 3 years from the collection date or the last contact from the prospective customer
Technical data : 1 year from the collection date
Cookies : 13 months
 

Once the periods set have expired, data is either deleted, or anonymised and then retained, in particular for statistical purposes. It can also be retained if a dispute is foreseen or in progress.

 

Prospective customers are reminded that deleting and anonymising data are irreversible operations. Once they have been completed, the data cannot be restored.

 

Lawful basis

 

The purposes of processing for the prospective customer data described above are covered by the following lawful bases:

 

5. Data recipients

 

We ensure that data can only be accessed by authorised internal and external recipients, who are bound by an appropriate duty of confidentiality. Within our organisation, we use an authorisation policy to decide which recipients can access which data.

 

Traceability measures are in place for any access involving our customers’, partners’ or prospective customers’ data.

 

In addition, personal data can be communicated to any authority legally entitled to have knowledge of it. In such cases, we cannot be held responsible for the conditions under which the staff of these authorities access and use the data.

 

Internal recipients

Authorised staff within our organisation (staff in charge of marketing and customer, service provider and prospective customer relationship management, administrative staff and IT staff) and their line managers.

 

External recipients

6. Rights of data subjects

 

Right of access and copy

 

Conventionally, customers, partners and prospective customers have the right to ask for confirmation as to whether data about them has been processed or not.

 

They also have the right to access their data, meaning the right to obtain full information regarding the processing of their personal data.

 

Should a customer, partner or prospective customer wish to exercise this right, they must submit the request personally and there must be no doubt as to their identity. If there is a doubt, we reserve the right to ask the person to provide proof of their identity in the format of their choice. This is most frequently a copy of their identity document.

 

Customers, partners and prospective customers have the right to request a copy of their personal data that is being processed. If, however, they request a further copy, we may require them to cover the cost of this.

If the customer, partner or prospective customer sends their request for a copy of their data in an electronic format, the required information will be provided in a standard electronic format, unless otherwise requested.

 

Customers, partners and prospective customers should be aware that this right to access data does not extend to confidential data or information, nor to any data or information which may not legally be communicated.

The right to access must not be exercised inappropriately, meaning that requests must not be submitted on a regular basis with the sole objective of disrupting the department concerned.

 

Updates and rectifications

 

We will perform requested updates and rectifications:

 

Right to erasure

 

The right to erasure of a customer’s, partner’s or prospective customer’s data will not be applicable in cases where the processing is carried out on the basis of a legal obligation. In other situations, customers, partners and prospective customers have the right to ask for their data to be erased in the following cases only:

 

 

Right to restrict processing

 

Customers, partners and prospective customers are informed that this right does not apply because the processing that we carry out is lawful and because all the personal data that we collect is necessary in order to achieve the purposes for which it is processed.

 

Right to data portability

 

We will accept data portability requests in specific cases relating to data communicated by customers, partners and prospective customers themselves, via our online services, and only where they fall under the purposes of consent and the performance of a contract. In such cases, the data will be provided to the person submitting the request in a structured, standard format that can be read by a machine.

 

Individual automated decision-making

 

We do not use any individual automated decision-making.

 

The tools on our website are provided solely to assist customers and prospective customers and shall not be construed otherwise.

 

Post-mortem rights

 

Customers, partners and prospective customers are informed that they have the right to issue directives concerning how their data should be retained, deleted and communicated after their death.

 

How to exercise your rights

To exercise your rights as laid out above, please contact, by email or by post, as you prefer:

 

Eric Barbry,
Cabinet Racine

40 rue de Courcelles

75008 PARIS, France

Email: dpo-adtalsace@racine.eu

7. Additional provisions

 

Optional and required responses

 

When personal data collection forms are presented to customers, partners and prospective customers, asterisks are used to indicate which responses are required and which are optional. Where responses are required, we explain the consequences of not providing them.

 

Usage rights

 

Customers, partners and prospective customers give our organisation the right to use and process their personal data for the purposes laid out above.

However, data that we create through processing and analysing operations, also known as enriched data, remains our exclusive property (usage analysis, statistics, etc.).

 

 

Processors

 

Please be aware that we may involve any processor of our choice in processing your data. In such cases, we will ensure that the processor complies with their obligations under the GDPR.

 

We undertake to sign a written contract with all our data processors and hold them to the same data protection obligations to which we ourselves are subject. In addition, we reserve the right to audit our processors to ensure that they are complying with the provisions of the GDPR.

 

Cross-border data flows

 

We reserve the right to decide independently whether to allow the personal data we process to flow across borders.

 

If we transfer your personal data outside the European Union or to an international organisation, we will make you aware of this and ensure that your rights are fully respected. If necessary, we undertake to sign one or more agreements to govern cross-border data flows.

 

We are bound by the provisions relating to cross-border data flows, except where the derogations laid down in article 49 of the GDPR apply.

 

Data processing register

 

As the data controller, we undertake to keep an up-to-date register of data processing activities, where the law requires us to do so.

 

This register takes the form of a document or application listing all the processing that we as the data processor carry out.

 

We undertake to provide the supervisory authority, on demand, with the information it needs to ensure that the processing has been carried out in accordance with the current data privacy legislation.

 

8.Security

Data security measures

 

We are responsible for defining and implementing the technical security measures, physical or logical, that we consider appropriate to guard against the destruction, loss, alteration or unauthorised disclosure of data, whether accidental or illicit.

 

To this end, we may seek the assistance of any third party of our choice to carry out, as often as we deem necessary, vulnerability audits and penetration tests.

 

We undertake, in any situation where we change the measures used to protect the security and confidentiality of personal data, to replace them with measures offering a superior level of performance. No upgrade will be allowed to lead to a reduction in the level of security.

 

If we entrust all or part of our personal data processing to data processors, we undertake to specify in our agreements with these processors security guarantees in the form of technical protection measures for the data, as well as the necessary human resources.

 

Data protection breaches

 

Should a data protection breach occur, we undertake to notify the CNIL (French data protection agency) under the conditions set out in the GDPR.

 

If the breach involves a high risk for our customers, partners and prospective customers and their data has not been protected, we will notify the data subjects and provide them with the necessary information and recommendations.

9. Contacts

 

Data protection officer

 

We have appointed a data protection officer. His name is Eric Barbry of Cabinet Racine (a law firm) at 40 rue de Courcelles, 75008 Paris, France – Email: dpo-adtalsace@racine.eu

 

We will contact our data protection officer before adding any additional form of data processing.

 

If you wish to obtain any particular information or ask a specific question, you can contact our data protection officer who will provide you with an answer within a period of time that is reasonable considering the question asked or information requested.

 

If you experience any kind of problem as regards the processing of your data, you can again contact our appointed data protection officer.

 

Right to lodge a complaint with the CNIL

 

Please be aware that as a customer, partner or prospective customer whose personal data is processed, if you judge that the way your data has been processed is not compliant with the European data protection regulations, you have the right to lodge a complaint with the supervisory authority (CNIL), at the following address:

Cnil – Service des plaintes

3 place de Fontenoy- TSA 80715, 75334 PARIS CEDEX 07, France

Tel: +33 (0)1 53 73 22 22

 

 

Changes to the policy

 

This policy may be amended or adjusted at any time in the event of a change to the law, case law, CNIL recommendations and decisions, or common practices.

 

We will make customers, partners and prospective customers aware of any new version of the policy by any method of our choosing, which may be an electronic method (distribution by email or online, for example).

 

Further information

 

Should you require any further information, please contact the DPO at the address given above: Eric Barbry, Cabinet Racine, 40 rue de Courcelles, 75008 Paris, France – Email: dpo-adtalsace@racine.eu

 

For any other more general information about data protection, please visit the CNIL website www.cnil.fr

Did you like this content? Give your opinion.

Thank you for voting!

Matomo