Policy on personal data relating to customers/prospects

1. Preamble

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter referred to as the GDPR) sets out the legal framework applicable to the processing of personal data.

The GDPR strengthens the rights and obligations of data controllers, data processors, data subjects and data recipients.

In the course of its business, Paris je t'aime - Office de tourisme (hereinafter referred to as "Paris je t'aime") is required to process the personal data of its customers and prospective customers.

For a proper understanding of this policy, it is specified that :

  • the "data controller": refers to Paris je t'aime ;
  • the "processor": refers to any natural or legal person who processes personal data on behalf of Paris je t'aime;
  • data subjects": refers to Paris je t'aime's customers and/or prospective customers;
  • the "recipients": refers to the natural or legal persons who receive personal data from Paris je t'aime. Data recipients may therefore be Paris je t'aime employees as well as external organisations (partners, banking establishments, IT service providers, etc.).

Article 12 of the RGPD requires that data subjects be informed of their rights in a concise, transparent, comprehensible and easily accessible manner.

2. Purpose

The purpose of this policy is to meet Paris je t'aime's obligation to provide information and to formalise the rights and obligations of Paris je t'aime's customers and prospective customers with regard to the processing of their personal data.

3. Scope

This policy is intended to apply to all processing of personal data relating to Paris je t'aime customers and/or prospective customers.

Paris je t'aime makes every effort to ensure that data is processed within the framework of precise internal governance. This being said, this policy only covers processing for which Paris je t'aime is the data controller and therefore does not cover processing that would be created or operated outside of the governance rules set by Paris je t'aime (so-called "wild" or shadow IT processing).

The processing of personal data may be managed directly by Paris je t'aime or through a sub-contractor specifically appointed by Paris je t'aime.

This policy is independent of any other document that may apply within the contractual relationship between Paris je t'aime and its customers and prospects.

4. Types of data collected

Non-technical data Identification data (surname, first name, etc.). Contact details (postal address, e-mail address, telephone number, etc.). Economic and financial information (bank details, RIB, etc.). Transaction data (shopping basket, amount and date of transactions, etc.).
Technical data Connection data (IP address, logs, etc.). Browsing data (cookies, tracers, audience measurement, clicks, etc.).

5. Sources of data

Data relating to customers or prospects is generally collected directly from them (direct collection) by Paris je t'aime.

Data may also be collected indirectly :

  • via specialised companies (purchase or rental of databases) or via Paris je t'aime's partners and suppliers. In this case, Paris je t'aime takes great care to ensure the quality of the data it receives;
  • via sponsorship. In this case, the sponsor ensures that he/she can communicate the person's data to us.

6. Purposes and legal bases

Depending on the case, Paris je t'aime processes your data for the following purposes and legal bases:

Purpose Comments Legal basis
Pre-contractual exchanges Paris je t'aime processes the data of people who interact with it prior to the conclusion of a contract. Execution of pre-contractual measures
Contract and follow-up Paris je t'aime processes the data of its customers as part of the follow-up of contractual relations (e.g. online purchases). Execution of contractual measures
Invoicing, payment and accounting Paris je t'aime processes customer data for the purposes of invoicing and paying for orders placed. Execution of contractual measures
Management of the directory of customers and prospects Paris je t'aime keeps an up-to-date directory of its customers and prospects. Legitimate interest
Event organisation Paris je t'aime processes the data of its customers and prospects when it invites them to events that it organises. Legitimate interest
Sending newsletters and managing requests to unsubscribe Paris je t'aime sends its customers and prospective customers newsletters from which they can unsubscribe. Legitimate interest (customers). Consent (prospects)
Service improvement and satisfaction surveys Paris je t'aime may process the data of its customers and prospects for the purpose of improving its services, in particular through satisfaction surveys. Legitimate interest
Behavioural analysis and audience measurement Paris je t'aime may process data for the purposes of analysing the behaviour of its customers and prospects and monitoring their online traffic. Legitimate interest or consent when necessary
Community management Paris je t'aime collects and processes the data of its customers and prospects for the purposes of animating its communities on the internet, particularly on social networks. Legitimate interest
Video surveillance The reception and tourist information point has a video surveillance system. Legitimate interest
Production of statistics Paris je t'aime may compile statistics on the data of its customers and prospective customers. Legitimate interest

7. Recipients of data - authorisation & traceability

Paris je t'aime ensures that data is only accessible to authorised internal or external recipients.

Internal recipients External recipients
- Authorised staff of the marketing department, sales department, member department, departments responsible for handling customer relations and canvassing, administrative departments, logistics and IT departments and their line managers; - Authorised staff of departments responsible for control (statutory auditors, departments responsible for internal control procedures, etc.) - Paris je t'aime members; - Paris je t'aime partners; - Banking organisations; - Authorised staff of sub-contractors.

The recipients of the personal data of customers and prospective customers within Paris je t'aime are subject to an obligation of confidentiality.

Paris je t'aime decides which recipients may have access to which data in accordance with an authorisation policy.

All access to processing relating to the personal data of customers and prospective customers is subject to traceability.

In addition, personal data may be communicated to any authority legally authorised to have access to it. In this case, Paris je t'aime is not responsible for the conditions under which the staff of these authorities have access to and use the data.

8. Retention period

The length of time Paris je t'aime retains data is defined by Paris je t'aime in the light of its legal and contractual obligations and, failing that, according to its needs and in particular according to the following principles:

Processing Retention period
Contracts concluded with customers 5 years from their conclusion. 10 years for contracts over 120 euros concluded electronically.
Commercial correspondence (order forms, delivery notes, invoices, etc.) 10 years from the end of the financial year.
Data processed for canvassing purposes For customers: 3 years from the end of the commercial relationship (from the end of a contract) or from the last contact from the customer (request for documentation, clicking on a link in an email, etc.). For prospective customers: 3 years from the date of collection or the last contact from the prospective customer.
Images from video protection cameras For a maximum period of one month.
Technical data 1 year from the date of collection.
Bank details Deleted as soon as the transaction is completed, unless the customer expressly agrees. If the transaction is disputed: stored for 13 months following the debit date.

Once the set time limits have expired, the data is either deleted or kept after being anonymised, in particular for statistical purposes. It may be kept for pre-litigation and litigation purposes.

Customers and prospects are reminded that deletion or anonymisation are irreversible operations and that Paris je t'aime is not subsequently able to restore them.

9. Right of confirmation and right of access

Customers and prospective customers have the right to ask Paris je t'aime for confirmation as to whether or not data concerning them is being processed.

The right of access/copy is subject to compliance with the following rules:

  • the request must come from the individual him/herself; and
  • be sent to the e-mail address [email protected].

Customers and prospective customers have the right to request a copy of their personal data being processed from Paris je t'aime. However, in the event of a request for an additional copy, Paris je t'aime may require customers and prospective customers to pay for this cost.

If customers and prospective customers submit their request for a copy of the data electronically, the information requested will be supplied to them in a commonly used electronic form, unless they request otherwise.

Customers and prospective customers are informed that this right of access may not relate to confidential information or data or data for which communication is not authorised by law.

The right of access must not be exercised in an abusive manner, i.e. on a regular basis with the sole aim of destabilising the service concerned.

10. Updating and rectification

Paris je t'aime complies with requests for updates:

  • automatically for online modifications to fields which, technically or legally, can be updated;
  • on written request from the person him/herself, who may be required to prove his/her identity.

11. Right to erasure

Customers' and prospective customers' right to erasure shall not apply in cases where processing is carried out in response to a legal obligation.

Apart from this situation, customers and prospective customers may request the deletion of their data in the following limited cases:

  • the personal data is no longer necessary for the purposes for which it was collected or is processed in another way;
  • when the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
  • the data subject objects to processing that is necessary for the purposes of the legitimate interests pursued by Paris je t'aime and there is no compelling legitimate reason for the processing;
  • the data subject objects to the processing of his/her personal data for canvassing purposes, including profiling;
  • the personal data has been processed unlawfully.

In accordance with legislation on the protection of personal data, customers and prospective customers are informed that this is an individual right that can only be exercised by the person concerned in relation to his/her own information: for security reasons, the department concerned may therefore carry out an identity check.

12. Right to limitation

Customers and prospects may exercise their right to limitation where any of the following applies:

a) the accuracy of the personal data is contested by the data subject ;
b) the processing is unlawful and the data subject objects to the erasure of the data and instead requests that the use of the data be restricted;
c) Paris je t'aime no longer needs the personal data for the purposes of processing, but the data is still necessary for the data subject to establish, exercise or defend legal claims; or
d) the data subject has objected to processing, during the verification as to whether the legitimate reasons pursued by Paris je t'aime prevail over those of the data subject.

13. Right to portability

Paris je t'aime grants the right to data portability in the specific case of data communicated by customers or prospects themselves, on online services offered by Paris je t'aime itself and for purposes based solely on the consent of the individuals concerned. In this case, the data will be communicated in a structured, commonly used and machine-readable format.

14. Automated individual decision

Paris je t'aime does not make automated individual decisions.

15. Post-mortem rights

Customers and prospects are informed that they have the right to formulate directives concerning the conservation, deletion and communication of their post-mortem data. The communication of specific post-mortem directives and the exercise of their rights may be made by e-mail to [email protected].

16. Right of use

Customers and prospective customers grant Paris je t'aime the right to use and process their personal data for the purposes set out above.

However, enriched data, which is the result of processing and analysis by Paris je t'aime, remains the exclusive property of Paris je t'aime (analysis of use, statistics, etc.).

17. Sub-contracting

Paris je t'aime informs its customers and prospective customers that it may involve any sub-contractor of its choice in the processing of their personal data.

In this case, Paris je t'aime ensures that the subcontractor complies with its obligations under the RGPD.

Paris je t'aime undertakes to sign a written contract with all its sub-contractors. In addition, Paris je t'aime reserves the right to audit its subcontractors in order to ensure compliance with the provisions of the RGPD.

18. Security

Paris je t'aime is responsible for defining and implementing the technical, physical and logical security measures it deems appropriate to prevent the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of data.

19. Data breach

In the event of a personal data breach, Paris je t'aime undertakes to notify the CNIL in accordance with the conditions prescribed by the RGPD.

If the said violation poses a high risk to customers and prospective customers and the data has not been protected, Paris je t'aime :

  • notify the customers and prospects concerned;
  • provide the customers and prospects concerned with the necessary information and recommendations.

20. Data Protection Officer

Paris je t'aime has appointed a Data Protection Officer.

The details of the Data Protection Officer are as follows:

Name: Mr Eric Barbry;
E-mail address: [email protected] ;
Tel: 01 44 82 43 00.

In the event of any new processing of personal data, Paris je t'aime will first contact the Data Protection Officer.

If customers and prospects wish to obtain information or ask a specific question, they may contact the Data Protection Officer, who will provide an answer within a reasonable timeframe in relation to the information requested or the question asked.

In the event of a problem with the processing of personal data, customers and prospective customers may contact the appointed Data Protection Officer.

21. Register of processing

Paris je t'aime, as the data controller, undertakes to keep an up-to-date register of all processing activities carried out.

This register is a document or application enabling all processing carried out by Paris je t'aime, as data controller, to be listed.

Paris je t'aime undertakes to provide the supervisory authority, on first request, with information enabling the said authority to verify the compliance of the processing with the data protection regulations in force.

22. Right to lodge a complaint with the CNIL

Customers and prospects concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the CNIL in France, if they consider that the processing of their personal data does not comply with European data protection regulations, at the following address:

CNIL - Complaints Department
3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07
Tel: 01 53 73 22 22

23. Changes

This policy may be amended or modified at any time in the event of changes in legislation, case law, CNIL decisions and recommendations or practices.

Any new version of this policy will be brought to the attention of customers and prospective customers by any means defined by Paris je t'aime, including electronic means (distribution by e-mail or online, for example).

24. For further information

For any additional information, you may contact the DPO at the following address: [email protected].

For more general information on the protection of personal data, please visit the CNIL website at www.cnil.fr.