Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter referred to as the GDPR), establishes the legal framework applicable to the processing of personal data.
The GDPR strengthens the rights and obligations of data controllers, processors, data subjects and data recipients.
In the course of its activities, Paris je t'aime - Office de tourisme (hereinafter referred to as ‘Paris je t'aime’) processes the personal data of its customers and prospective customers.
For a clear understanding of this policy, the following definitions apply:
Article 12 of the GDPR requires that data subjects be informed of their rights in a concise, transparent, understandable and easily accessible manner.
The purpose of this policy is to fulfil the obligation of information to which Paris je t'aime is bound and to formalise the rights and obligations of Paris je t'aime's customers and prospective customers with regard to the processing of their personal data.
This policy is intended to apply to all processing of personal data relating to customers and/or prospects of Paris je t'aime.
Paris je t'aime makes every effort to ensure that the data is processed within the framework of a precise internal governance. That being said, this policy only covers processing for which Paris je t'aime is the data controller and therefore does not cover processing that would be created or operated outside the governance rules set by Paris je t'aime (so-called ‘wild’ or shadow IT processing).
The processing of personal data may be managed directly by Paris je t'aime or by a subcontractor specifically appointed by Paris je t'aime.
This policy is independent of any other document that may apply within the contractual relationship between Paris je t'aime and customers and prospects.
| Non-technical data | Identification data (surname, first name, etc.). Contact details (postal address, email address, telephone number, etc.). Data relating to WhatsApp exchanges (connection time, online status, etc.). Information on the service (content of email, call and WhatsApp exchanges, time taken to process requests, number of calls, emails and WhatsApp messages). Economic and financial information (bank details, bank details, etc.). Transaction data (shopping basket, amount and date of transactions, etc.) |
|---|---|
| Technical data | Connection data (IP address, logs, etc.). Browsing data (cookies, tracers, audience measurement, clicks, etc.). Geolocation data (country from which the customer or prospect calls or sends a message via WhatsApp). |
The data relating to customers or prospective customers is generally collected directly from them (direct collection) by Paris je t'aime.
The collection can also be indirect:
Depending on the case, Paris je t'aime processes your data for the following purposes and legal bases:
| Purpose | Comments | Legal bases |
|---|---|---|
| Pre-contractual exchanges | Paris je t'aime processes the data of people who interact with it before entering into a contract. | Implementation of pre-contractual measures |
| Contract and contract follow-up | Paris je t'aime processes the data of its customers as part of the monitoring of contractual relations (e.g. online purchases). | Execution of contractual measures |
| Invoicing, payment and accounting | Paris je t'aime processes the data of its customers as part of the invoicing and payment of orders placed. | Execution of contractual measures |
| Management of the customer and prospect directory | Paris je t'aime keeps an up-to-date directory of its customers and prospective customers. | Legitimate interest |
| Organisation of events | Paris je t'aime processes the data of its customers and prospective customers when it invites them to events that it organises. | Legitimate interest |
| Sending of newsletters and management of requests to unsubscribe | Paris je t'aime sends newsletters to its customers and prospective customers from which they can unsubscribe. | Legitimate interest (customers). Consent (prospects) |
| Service improvement and satisfaction surveys | Paris je t'aime may process the data of its customers and prospects for the purpose of improving its services, in particular through satisfaction surveys. | Legitimate interest |
| Behavioural analysis and audience measurement | Paris je t'aime may process data for the purpose of analysing the behaviour of its customers and prospects and monitoring their online traffic. | Legitimate interest or consent where necessary |
| Community management | Paris je t'aime collects and processes the data of its customers and prospects for the purpose of running its online communities, particularly on social networks. | Legitimate interest |
| Video surveillance | The tourist information centre has a video surveillance system. | Legitimate interest |
| Production of statistics | Paris je t'aime may produce statistics relating to the data of its customers and prospective customers. | Legitimate interest |
| Concierge service | Paris je t'aime collects personal data via the concierge service, which is put in touch with the customer or prospective customer to provide remote assistance in organising their stay, discovering the destination and booking tourist activities. | Legitimate interest |
Paris je t'aime ensures that the data is only accessible to authorised internal or external recipients.
| Internal recipients | External recipients |
|---|---|
| - authorised personnel from the marketing department, the sales department, the membership department, the departments responsible for customer relations and canvassing, the administrative departments, the logistics and IT departments, as well as their line managers; - authorised personnel from the departments responsible for control (auditor, departments responsible for internal control procedures, etc.) |
- members of Paris je t'aime; - partners of Paris je t'aime; - banking organisations; - authorised subcontractor personnel; - external service providers (customer service, concierge, etc.). |
The recipients of the personal data of customers and prospective customers within Paris je t'aime are subject to an obligation of confidentiality.
Paris je t'aime decides which recipient will have access to which data according to an authorisation policy.
All access concerning the processing of personal data of customers and prospects is subject to a traceability measure.
Furthermore, personal data may be communicated to any authority legally authorised to have access to it. In this case, Paris je t'aime is not responsible for the conditions under which the personnel of these authorities have access to and use the data.
The data retention period is defined by Paris je t'aime in accordance with the legal and contractual obligations to which it is subject and, failing that, according to its needs and in particular according to the following principles:
| Processing | Retention period |
|---|---|
| Contracts concluded with customers | 5 years from their conclusion. 10 years for contracts concluded electronically for more than 120 euros. |
| Commercial correspondence (order forms, delivery notes, invoices, etc.) | 10 years from the end of the financial year. |
| Data processed for prospecting purposes | For customers: 3 years from the end of the commercial relationship (from the end of a contract) or from the last contact from the customer (request for documentation, clicking on a link in an email, etc.). For prospects: 3 years from the time they are collected or the last contact from the prospect. |
| CCTV footage | For a maximum period of one month. |
| Technical data | 1 year from the time they are collected. |
| Bank details | Deleted as soon as the transaction is completed, unless expressly agreed by the customer. If the transaction is disputed: stored in the archive for 13 months following the debit date. |
| Concierge service | 5 years for customers from the date of the last purchase. 3 years for prospective customers. |
After the specified periods, the data is either deleted or kept after being anonymised, in particular for statistical purposes. It may be kept in the event of pre-litigation and litigation.
Customers and prospective customers are reminded that deletion or anonymisation are irreversible operations and that Paris je t'aime is subsequently unable to restore them.
Customers and prospective customers have the right to ask Paris je t'aime for confirmation that data concerning them is or is not being processed.
The right of access/copy is subject to compliance with the following rules:
Customers and prospective customers have the right to request a copy of their personal data being processed by Paris je t'aime. However, in the event of a request for an additional copy, Paris je t'aime may require customers and prospective customers to bear the financial cost.
If customers and prospective customers submit their request for a copy of the data electronically, the requested information will be provided to them in a commonly used electronic form, unless otherwise requested.
Customers and prospective customers are informed that this right of access may not apply to confidential information or data or data for which disclosure is not permitted by law.
The right of access must not be exercised abusively, i.e. on a regular basis with the sole aim of destabilising the department concerned.
Paris je t'aime complies with update requests:
The right to erasure of customers and prospects will not be applicable in cases where the processing is implemented to meet a legal obligation.
Apart from this situation, customers and prospects may request the erasure of their data in the following restrictive cases:
In accordance with the legislation on the protection of personal data, customers and prospective customers are informed that this is an individual right that can only be exercised by the person concerned in relation to their own information: for security reasons, the department concerned may therefore carry out an identity check.
Customers and prospective customers may exercise their right to restriction where one of the following applies:
a) the accuracy of the personal data is contested by the data subject;
b) the processing is unlawful and the data subject opposes their erasure and instead demands the restriction of their use;
c) Paris je t'aime no longer needs the personal data for the purposes of the processing, but they are still needed by the data subject for the establishment, exercise or defence of legal claims;
d) the data subject has objected to the processing, pending the verification whether the legitimate grounds of Paris je t'aime override those of the data subject.
Paris je t'aime recognises the right to data portability in the specific case of data communicated by customers or prospective customers themselves, regarding online services offered by Paris je t'aime itself and for purposes based solely on the consent of the individual. In this case, the data will be communicated in a structured, commonly used and machine-readable format.
Paris je t'aime does not make automated individual decisions.
Customers and prospective customers are informed that they have the right to formulate directives concerning the conservation, erasure and communication of their data post-mortem. The communication of specific post-mortem directives and the exercising of their rights is carried out by email to the address [email protected].
Paris je t'aime is granted a right of use and processing of its customers‘ and prospective customers’ personal data for the purposes set out above.
However, the enriched data, which is the result of processing and analysis by Paris je t'aime, remains the exclusive property of Paris je t'aime (usage analysis, statistics, etc.).
Paris je t'aime informs its customers and prospective customers that it may use any subcontractor of its choice in the processing of their personal data.
In this case, Paris je t'aime ensures that the subcontractor complies with its obligations under the GDPR.
Paris je t'aime undertakes to sign a written contract with all its subcontractors. In addition, Paris je t'aime reserves the right to audit its subcontractors to ensure compliance with the provisions of the GDPR.
It is the responsibility of Paris je t'aime to define and implement the technical, physical or logical security measures it deems appropriate to combat the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of data.
In the event of a personal data breach, Paris je t'aime undertakes to notify the CNIL (French Data Protection Authority) under the conditions prescribed by the GDPR.
If the said breach poses a high risk to customers and prospects and the data has not been protected, Paris je t'aime will:
Paris je t'aime has appointed a data protection officer.
The contact details of the data protection officer are as follows:
In the event of new processing of personal data, Paris je t'aime will first refer the matter to the data protection officer.
If customers and prospective customers wish to obtain information or ask a specific question, they may refer the matter to the data protection officer, who will provide them with an answer within a reasonable period of time with regard to the information requested or the question asked.
In the event of a problem with the processing of personal data, customers and prospective customers may refer the matter to the designated data protection officer.
Paris je t'aime, as data controller, undertakes to keep an up-to-date register of all processing activities carried out.
This register is a document or application that makes it possible to list all the processing carried out by Paris je t'aime, as data controller.
Paris je t'aime undertakes to provide the supervisory authority, upon first request, with the information enabling the said authority to verify the compliance of the processing with the data protection regulations in force.
Customers and prospective customers concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the CNIL in France, if they consider that the processing of their personal data does not comply with European data protection regulations, at the following address:
CNIL - Complaints Department
3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07
Tel: 01 53 73 22 22
This policy may be modified or amended at any time in the event of changes in the law, case law, decisions and recommendations of the CNIL or usage.
All new versions of this policy will be brought to the attention of customers and prospective customers by any means defined by Paris je t'aime, including electronic means (distribution by email or online, for example).
For further information, you can contact the DPO at the following address: [email protected].
For more general information on personal data protection, you can visit the CNIL website at www.cnil.fr.
