Privacy policy

1. General provisions

Introduction

The EU Regulation 2016/679 from the European Parliament and Council on 27th April 2016 relating to data protection (hereinafter RGPD) created the legal framework applicable to the processing of personal data.  The text reinforces the rights and obligations of those responsible for data processing, of subcontractors, of people involved, and of the recipients of the data. 

Subsequently and so as to put in place modifications to the RGPD, law 78-17 of 6th January 1978 (known as Information Technology and Freedoms) was modified by law 2018-493 of 20th June 2018 and by regulation 2018-1125 of 12th December 2018 relating to data protection.

The policy below has been adopted by Charentes Tourisme (hereinafter known as “the organization”) whose main activities are the development of tourism, the promotion of tourism destinations, and the marketing of the territories of Charente and Charente-Maritime.

In the course of our activity, we put in place processing of data of a personal nature relating to the data of our clients, partners, and prospects. To be clear:

  • the term “clients” includes any person or legal entity committed by a contract of whatsoever nature to our organization, bearing in mind that the role of the organization is to work with clients who are tourism professionals or the public at large;
  • the term “partners” includes any person or legal entity in the tourism sector maintaining in this respect relations with our organization such as departmental tourism professionals, project promoters and internal and external investors, tour operators, local authorities, and their associations or institutional partners;
  • the term “prospects” includes any potential client or any contact receiving promotional messages from our organization whose data have been collected directly via contact forms, at events, or indirectly via any partner of the organization.

Purpose and scope

The current policy of protection of data of a personal nature is intended as the framework for implementation of the processing of data of a personal nature of our clients, partners, and prospects.

Thus, the purpose of the policy is to satisfy the obligation for information by our organization and to formalize the rights and obligations that our clients, partners, and prospects have in relation to their data.

The policy relates only to data for which we are responsible as well as data identified as “structured”;

Processing data of a personal nature may be managed directly by our organization or through a subcontractor specifically appointed by us.

This policy is independent of any other document that may be applied to the contractual relationship that links us to our clients, partners, and prospects. No processing of data provided by our clients, partners, and prospects takes place if it does not relate to data of a personal nature collected by or for our services or processed with our services and if it does not meet the general principles of the RGPD.

Any new processing, modification, or suppression of existing processing shall be brought to the attention of our clients, partners, and prospects by means of the modification of this policy.

2. Clients' data

Types of data collected

Non-technical data

(according to usage)

  • identity and identification (surname, first name, date of birth, pseudo, client number)
  • address & phone number (email, postal address, phone number)
  • professional life / personal life when necessary

Technical data

(according to usage)

  • identification data (IP address)
  • connection data (logs, token particularly)
  • acceptance data (click)
  • location data


Origin of data

We collect clients' data from:

 

  • data provided by the client (paper forms, orders, contracts, visiting cards);
  • electronic forms completed by the client;
  • data collected online (websites, social media…);
  • registration at events that we organize;
  • databases pooled between several partners, supplied and exploited by these partners;
  • exceptionally renting or acquisition of databases;
  • communication of contacts through specialist businesses or partners of our organization.

Purposes

Depending on the case, we process clients’ data for the following purposes:

  • management of client relationships;
  • sale of holidays directly or via tour operator partners;
  • management of events that we organize;
  • sending of newsletters or news feeds;
  • management of client accounts;
  • improvement of our services;
  • meeting our administrative obligations;
  • community management;
  • creation of statistics.


Retention periods

The retention period for our clients’ data is defined according to legal and contractual constraints and by default in respect of our needs and especially according to the following principles:

Process

Period of retention

Data relating to clients

For the duration of the contractual relationship, increased by 3 years for the purposes of prospection and activities without prejudice to the obligations of retention and limitation periods

Technical data

1 year from the date of collection

Cookies

13 months


Clients are reminded that deletion and anonymization of data are irreversible and we are thus not in a position to restore them. Once past these fixed periods, data are either deleted or retained after being anonymized, notably for statistical purposes.  They may be retained in case of claims or litigation.

Legal basis

Processing in respect of this policy is undertaken on the legal basis of implementation of contractual or pre-contractual measures or, in certain cases, the consent of the client (e.g.: despatch of commercial prospection messages).

3. Partners' data

Types of data collected

Non-technical data

(according to usage)

  • identity and identification (surname, first name, date of birth, pseudo, client number)
  • address & phone number (email, postal address, phone number)
  • professional life / personal life when necessary

Technical data

(according to usage)

  • identification data (IP address)
  • connection data (logs, token particularly)
  • acceptance data (click)
  • location data

Origin of data

We collect partners’ data from:

  • information provided directly by the partner;
  • electronic forms completed by the partner;
  • registration or subscription to our online services (newsletter, social media).

Purposes

Depending on the case, we process partners’ data for the following purposes:

  • management of partner relationships;
  • labelling of sites and facilities for procedures transferred by the organisation;
  • technical tourism operations (diagnostics and feasibility studies, support for setting up projects and requests for financial subsidy)
  • networking operations and consultation with different partners;
  • assisting our service partners with marketing;
  • management of events that we organise (salons, workshops etc);
  • training operations with our service partners;
  • research operations with our distributor partners;
  • creation of statistics.

Retention periods

The retention period for our partners’ data is defined according to legal and contractual constraints and by default in respect of our needs and especially according to the following principles:

Process

Period of retention

Data relating to clients

For the duration of the contractual relationship, increased by 3 years for the purposes of prospection and activities without prejudice to the obligations of retention and limitation periods

Technical data

1 year from the date of collection

Cookies

13 months

Once past these periods, data are either deleted or retained after being anonymized, notably for statistical purposes.  They may be retained in case of claims or litigation.

Partners are reminded that deletion and anonymization of data are irreversible and we are thus not in a position to restore them.

Legal basis

Processing in respect of this policy is undertaken on the legal basis of the implementation of contractual or pre-contractual measures.


4. Prospects' data

Types of data collected

Non-technical data

(according to usage)

  • identity and identification (surname, first name, date of birth, pseudo, client number)
  • address & phone number (email, postal address, phone number)
  • professional life / personal life when necessary

Technical data

(according to usage)

  • identification data (IP address)
  • connection data (logs, token particularly)
  • acceptance data (click)
  • location data

Origin of data 

We collect prospects’ data from:

  • data provided by the prospect (paper forms, visiting cards);
  • electronic forms completed by the client;
  • data collected online (websites, social media…);
  • registration or subscription to our online services (website, social media);
  • registration at events that we organize;
  • databases pooled between several partners, supplied and exploited by these partners;
  • lists provided by organizers of events or conventions that we participate in;
  • exceptionally renting databases;
  • communication of contacts through specialist businesses or partners.

Purposes

Depending on the case, we process prospects’ data for the following purposes:

  • management of prospect relationships;
  • management of events that we organize;
  • despatch of newsletters or newsfeeds;
  • activation of internet sites in partnership with our partners;
  • promotional operations of our organization and tourism on social media (Facebook, Twitter, YouTube, Instagram …); 
  • behavioural analysis of prospects;
  • community management;
  • creation of statistics.

Retention periods

The retention period for our prospects’ data is defined according to legal and contractual constraints and by default in respect of our needs and especially according to the following principles:

Process

Period of retention

Data relating to clients

For the duration of the contractual relationship, increased by 3 years for the purposes of prospection and activities without prejudice to the obligations of retention and limitation periods

Technical data

1 year from the date of collection

Cookies

13 months

Once past these periods, data are either deleted or retained after being anonymized, notably for statistical purposes.  They may be retained in case of claims or litigation.

Partners are reminded that deletion and anonymization of data are irreversible and we are thus not in a position to restore them.

Legal basis

The purposes of prospects’ processing shown above are based on the following conditions of legality:

  • performance of pre-contractual measures;
  • the legitimate interest of our organization;
  • consent of the prospect when the law requires it (e.g. sending messages of commercial prospection).


5. Data recipients

We undertake that data are only accessible to authorized internal or external recipients subject to an appropriate obligation of confidentiality.  We decide which internal recipient may have access to a particular date according to an accreditation policy.

Any access concerning the processing of clients’, partners’, or prospects’ personal data is traceable.

Furthermore, data of a personal nature may be communicated to any legally accredited authority.  In this event, we are not responsible for the conditions in which the personnel of such bodies may access and exploit the data.

Internal recipients

External recipients

Accredited personnel in our organization (staff in charge of marketing, management of the relationship with clients, service providers and prospects, administrative personnel and staff in charge of information technology) and their hierarchical managers.

  • Tourism partners who have access to the pooled file in which data may be present;
  • service or support providers;
  • accredited personnel from services responsible for supervision (auditors, services responsible for the control of internal procedures, etc);
  • administration, representatives of the law if applicable.

6. Rights of individuals

Rights of access and copying

Clients, partners, and prospects traditionally have the right to request confirmation of whether data concerning them are or are not processed.

They equally have a right of access to their data, i.e. the right to have the totality of information relating to their data of a personal nature communicated to them.

In such a case, the client, partner, or prospect must make the request and there must be no doubt as to his/her identity. Failing that, we reserve the right to require the communication of any element that enables the identification, notably the copy of an ID card or similar document.

Clients, partners, and prospects have the right to request a copy of data of a personal nature that has been processed. However, in the case of requests for extra copies, we may require that the cost be charged to our clients, partners, and prospects.

If clients, partners, and prospects make their request for the provision of data by electronic means, the requested information will be sent by an appropriate electronic means, unless requested otherwise.

Clients, partners, and prospects are advised that this right of access does not extend to confidential data or information or to those that are not authorized by law.

The right of access must not be exercised in an abusive manner, that is to say in a regular manner where the sole aim is to destabilize the department in question.

Updating – updating and rectification

We satisfy requests for updating:

  • automatically for online modifications of fields that can technically or legally be updated;
  • on written request from the person concerned whose identity must be proven.

Right to deletion

Clients’, partners’ and prospects’ right to deletion will not be applicable where the processing is in place to satisfy a legal requirement. Otherwise, clients, partners, and prospects may request the deletion of their data in the following limited cases:

  • data of a personal nature no longer necessary for the purposes for which they were collected or processed in a different way;
  • when the person concerned withdraws consent on which the processing is based and there is no other legal basis for the processing;
  • the person concerned is opposed to the processing of data for legitimate purposes that we are undertaking and that there is no overriding legitimate reason for the processing;
  • the person concerned is opposed to the processing of his/her data of a personal nature for prospection and profiling purposes;
  • data of a personal nature have been the subject of illegal processing.

Right to limitation

Clients, partners, and prospects are advised that this right does not apply in that the processing we put in place is legal and that all the data of a personal nature that are collected are necessary for this purpose.

Right to portability

We accede to requests for portability of data in the particular case of data communicated by clients, partners, and prospects themselves for our online services and for purposes that rely on the sole consent of persons and performance of a contract.  In this case, data are communicated to the applicant in a structured format that is in current use and machine-readable.

Automated individual decisions

We do not carry out any automated individual decisions.

The tools available on our website are just support tools for clients and prospects and may not be considered otherwise. 

Post-mortem rights

Clients, partners, and prospects are advised that they have the right to express guidelines concerning the conservation, deletion, and communication of their data post-mortem. 

Exercise of rights

The exercise of the above rights may be made, at the choice of the individual, by email or post to the following address: dpo-charentes.tourisme@racine.eu. 

 

7. Additional provisions

Optional or compulsory nature of responses

Clients, partners, and prospects are advised of the optional or compulsory nature of responses by the presence of an asterisk on each form that is used for the collection of data of a personal nature.  Where responses are compulsory, we explain the consequences of an absence of response.

Right of utilization

Our organization is assigned a right of utilization by our clients, prospects, and partners to process their data of a personal nature for the purposes shown above.

However, enhanced data that are the result of processing or analysis by us, otherwise known as enhanced data, remain our exclusive property (usage analysis, statistics, etc).

Subcontracting

We hereby advise you that we may request the intervention of a subcontractor of our choice to process your data of a personal nature.  In this event, we undertake that the subcontractor respects the obligations imposed by the RGPD.

We undertake to sign a written contract with all our subcontractors and impose on them the same conditions in respect of data protection as ourselves. Furthermore, we reserve the right to undertake an audit of our subcontractors to ensure that the dispositions of the RGPD are being met.

Cross-border flows

Our organization reserves the sole right to choose whether or not to have cross-border flows for the processing of data of a personal nature.

In the event of data of a personal nature being transferred to a third country in the European Union or to an international organization, we shall inform you and ensure that your rights are fully respected. We undertake, if necessary, to sign one or more contracts that allow the cross-border flow of data.

Dispositions relating to cross-border flows are enforceable except in cases that permit a derogation in application of article 49 of the RGPD.

Processing register

As a data processing manager, we undertake to maintain and update a register of all the processing activities undertaken.

This register is a document or application enabling the identification of all the processing that we put in place as processing managers.

We hereby undertake to provide to the supervisory authority, in the first instance, the information enabling the said authority to verify the conformity of our processing to the data processing and civil liberties regulations in force.

 

8. Security

Security measures

It is our responsibility to put in place technical measures of security whether physical or software that we consider appropriate to combat the destruction, loss, alteration or unauthorized disclosure of data whether accidentally or illegally.

To achieve this, we may be assisted by any third party of our choice to proceed to audits of vulnerability or penetration tests at the frequency we consider necessary.

In any event, should the means ensuring the security and confidentiality of data of a personal nature be changed, we undertake to replace them with means of superior performance.  No development will result in the level of security being decreased.

In the case of subcontracting the processing of a part of the whole of data of a personal nature, we undertake to impose on our subcontractors contractual guarantees of security by means of technical measures to protect the data and the human resources necessary.

Data breaches

In the event of a breach of data of a personal nature, we undertake to notify the CNIL in the procedure outlined by the RGPD.

If the said breach poses a high risk for clients, partners, and prospects and if the data have not been protected, we shall advise the persons concerned and communicate the information and recommendations necessary.

9. Contacts

Data protection representative

We have appointed a data protection representative whose address is: 
dpo-charentes.tourisme@racine.eu. 

In the event of new processing of data of a personal nature, we first contact the data protection representative.

If you wish to obtain a specific item of information or ask a particular question, you may contact the data protection representative who will respond within a reasonable period of time in respect of the question asked or the information sought.

In the event of a problem encountered with the processing of your data of a personal nature, you may contact the data protection representative.

Right to make a complaint to the CNIL

Clients, partners, and prospects concerned by the processing of their data of a personal nature are advised of their right to make a complaint to the supervisory authority, the CNIL, if they believe that the processing of data of a personal nature that concerns them is not in conformity with the European regulations for data protection:

Cnil – Service des plaintes
3 Place de Fontenoy- TSA 80715 - 75334 PARIS CEDEX 07
Tél : 01 53 73 22 22

Developments

This policy may be modified or updated at any time in the event of legal developments, recommendations by the CNIL, or usage.

Any such new version of the policy shall be brought to the attention of clients, partners, and prospects by any appropriate means including electronically (for example dissemination by email or online).

Further information

For further information, you may contact the DPO at this address: dpo-charentes.tourisme@racine.eu

For further, more general information on data protection, consult the site of the CNIL: www.cnil.fr