Privacy policy

1. General provisions

Preamble

Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on data protection (hereinafter RGPD), sets the legal framework applicable to the processing of personal data. This text strengthens the rights and obligations of data controllers, processors, data subjects and data recipients.

Subsequently, and in order to implement the changes made by the RGPD, the French Data Protection Act no. 78-17 of January 6, 1978 was amended by Act no. 2018-493 of June 20, 2018 and Ordinance no. 2018-1125 of December 12, 2018.

This policy is implemented by the Dieppe-Normandie Tourist Office (hereinafter referred to as “the organization”), whose main activities are the development of the tourism offer, the promotion of tourist destinations and the marketing of the tourism offer in Occitanie.

As part of our activities, we process personal data relating to our customers, partners and prospects. For a better understanding of the present policy, it is specified that :

• customers are understood to be all natural or legal persons who have entered into a contract of any kind with our organization, it being specified that the latter is intended to work with customers in the tourism industry or the general public;
• partners are defined as any natural or legal persons working in the tourism sector and maintaining relations with our organization in this capacity, such as local tourism professionals, project sponsors and internal and external investors, holiday distributors, local authorities and their associations, or institutional partners;
• Prospects are understood to be any potential customer or any contact recipient of promotional messages from our organization, whose data has been collected directly via contact forms, events or indirectly via any of our organization’s partners.

Purpose and scope

This personal data protection policy is intended to apply to the processing of the personal data of our customers, partners and prospects.

As such, the purpose of this policy is to satisfy our organization’s obligation to provide information, and thus to formalize the rights and obligations of customers, partners and prospects with regard to the processing of their data.

This policy applies only to data processing for which we are responsible, and to “structured” data.

The processing of personal data may be managed directly by our organization or through a subcontractor specifically appointed by it.

This policy is independent of any other document that may apply within the contractual relationship that binds us to our customers, partners and prospects. We do not implement any processing of the data of our customers, partners and prospects if it does not relate to personal data collected by or for our services or processed in connection with our services and if it does not comply with the general principles of the GDPR.

Any new processing, modification or deletion of existing processing will be brought to the attention of customers, partners and prospects by means of an amendment to this policy.

2. Customer data

Types of data collected

Data origin

We collect customer data from :

• data supplied by the customer (paper forms, order forms, contracts, business cards, competitions, information collected at the Office reception desk);
• electronic forms filled in by the customer;
• data entered online (website, social networks, etc.);
• registration for events we organize or take part in (e.g. tourism trade shows);
• databases shared by several partners, fed and used by all these partners;
• exceptional rental or acquisition of databases;
• communication of contacts via specialized companies or partners of our organization.

Purposes

As the case may be, we process customer data for the following purposes:

• customer relationship management ;
• sale of tourist stays, services or products directly or via distribution partners;
• management of events we organize or participate in;
• commercial prospecting;
• sending newsletters or news feeds;
• customer account management;
• improving our services (e.g. satisfaction surveys, tourism quality approach);
• meeting our administrative obligations;
• community management;
• statistics.

Retention periods

The length of time we retain customer data is defined in the light of the legal and contractual constraints imposed on us, and otherwise in accordance with our needs, and in particular in accordance with the following principles:

Once these time limits have elapsed, data is either deleted or kept after being anonymized, notably for statistical purposes. They may be kept for pre-litigation and litigation purposes.

Customers are reminded that deletion or anonymization are irreversible operations, and we are not subsequently able to restore them.

Legal basis

The processing operations that we carry out under this policy are all legally based on the implementation of contractual or pre-contractual measures.

3. Partner data

Types of data collected

Data origin

We collect data from our partners from :

• information collected directly via partners, in particular via shared databases;
• forms or electronic forms filled in by partners
• registrations or subscriptions to our online services (newsletter, social networks).

Purposes

Depending on the case, we process customer data for the following purposes:

• partner relationship management ;
• certification of sites and facilities in the sectors entrusted to us by the organization;
• tourism engineering operations (diagnostics and feasibility studies, support in setting up projects and grant applications);
• networking and consultation with various partners;
• marketing assistance for partner service providers;
• management of events we organize or participate in (trade shows, workshops, etc.);
• training operations for partner service providers;
• search for distribution partners;
• statistics.

Retention periods

The length of time we keep our partners’ data is defined in the light of the legal and contractual constraints imposed on us and, failing that, according to our needs, and in particular according to the following principles:

Once these time limits have elapsed, data is either deleted or kept after being anonymized, notably for statistical purposes. They may be kept for pre-litigation and litigation purposes.

Partners are reminded that deletion or anonymization are irreversible operations, and that we are not subsequently able to restore them.

Legal basis

The processing operations that we carry out under this policy are all legally based on the implementation of contractual or pre-contractual measures.

4. Prospect data

Types of data collected

Data origin

We collect our prospects’ data from :

• data supplied by the prospect (paper form, business card, collection by the receptionist, etc.) ;
• forms or electronic forms filled in by the prospect;
• data entered online (website, social networks, etc.);
• registration or subscription to our online services (website, social networks);
• registration for events we organize or participate in;
• databases shared by several partners, fed and used by all these partners;
• lists provided by the organizers of events or conferences in which we participate;
• exceptional database rentals;
• communication of contacts through specialized companies or partners.

Purposes

Depending on the case, we process our prospects’ data for the following purposes:

• prospect relationship management ;
• management of events we organize
• commercial prospecting;
• sending our newsletters or news feeds;
• animation of websites in partnership with our partners;
• operations to promote our organization and tourism in Normandy on social networks (Facebook, YouTube, Instagram, Twitter, TikTok, etc.);
• behavioral analysis of prospects;
• community management;
• statistics.

Retention periods

The length of time we keep our prospects’ data is defined in the light of the legal and contractual constraints placed on us and, failing that, according to our needs and in particular according to the following principles:

After these periods, data is either deleted or kept after being anonymized, notably for statistical purposes. Data may be kept for pre-litigation and litigation purposes.

Prospects are reminded that deletion or anonymization are irreversible operations and that we are not subsequently able to restore them.

Legal basis

The above-mentioned purposes for processing prospects are based on the following conditions of lawfulness:

• performance of pre-contractual measures ;
• our organization’s legitimate interests
• the prospect’s consent when required by law (e.g. for the sending of commercial prospecting messages).

5. Recipients of data

We ensure that data is only accessible to authorized internal or external recipients who are subject to an appropriate obligation of confidentiality.

Internally, we decide which recipients will have access to which data according to an authorization policy.

All accesses concerning the processing of personal data relating to customers, partners and prospects are subject to traceability measures.

In addition, personal data may be communicated to any authority legally empowered to deal with it. In this case, we are not responsible for the conditions under which the staff of these authorities have access to and use the data.

6. Individual rights

Right of access and copy

Customers, partners and prospects traditionally have the right to request confirmation as to whether or not data concerning them is being processed.

They also have a right of access to their data, i.e. the right to obtain communication of all information relating to the processing of their personal data.

In such a case, the customer, partner or prospect must formulate his or her request himself or herself, and there must be no doubt as to his or her identity. Failing this, we reserve the right to ask for any information that would enable them to be identified, such as a copy of an identity document.

Customers, partners and prospects have the right to request a copy of their personal data being processed. However, in the event of a request for an additional copy, we may require customers, partners and prospects to bear the cost of this.

If customers, partners and prospects submit their request for a copy of the data electronically, the information requested will be provided in a commonly used electronic form, unless otherwise requested.

Customers, partners and prospective customers are hereby informed that this right of access may not relate to confidential information or data, or data for which communication is not permitted by law.

The right of access must not be exercised in an abusive manner, i.e. on a regular basis with the sole aim of destabilizing the service concerned.

Updating and rectification

We respond to requests for updates :

• automatically for online modifications to fields that can be technically or legally updated;
• upon written request from the person concerned, who must provide proof of identity.

Right to erasure

The right to erasure of customers, partners and prospects will not apply in cases where processing is carried out to meet a legal obligation. Apart from this situation, customers, partners and prospects may request the deletion of their data in the following limited cases:

• personal data is no longer required for the purposes for which it was collected or otherwise processed;
• when the data subject withdraws the consent on which the processing is based, and there is no other legal basis for the processing;
• the data subject objects to processing that is necessary for the purposes of our legitimate interests and there is no compelling legitimate reason for the processing;
• the data subject objects to the processing of his/her personal data for canvassing purposes, including profiling;
• the personal data has been processed unlawfully.

Right to restriction

Customers, partners and prospects are informed that this right is not intended to apply insofar as the processing we carry out is lawful and all personal data collected is necessary for the purposes for which it is processed.

Right to portability

We grant requests for data portability in the specific case of data communicated by customers, partners and prospects themselves, on our online services and for purposes based solely on the consent of individuals and performance of a contract. In this case, the data is communicated to the requester in a structured, commonly used and machine-readable format.

Automated individual decisions

We do not make any automated individual decisions.

The tools offered on our website are only intended to help customers and prospects and should not be considered otherwise.

Post-mortem rights

Customers, partners and prospects are informed that they have the right to formulate directives concerning the conservation, deletion and communication of their post-mortem data.

Exercise of rights

The aforementioned rights may be exercised, at the option of the person concerned, by e-mail or by post to the following address: dpo-dieppetourisme@racine.eu or 40 rue de Courcelles, 75008 Paris.

7. Additional provisions

Optional or mandatory nature of responses

Customers, partners and prospects are informed of the compulsory or optional nature of their responses by the presence of an asterisk on each personal data collection form submitted to them. Where answers are mandatory, we explain the consequences of not answering.

Right of use

Our customers, prospects and partners grant us the right to use and process their personal data for the purposes set out above.

However, enriched data resulting from processing and analysis on our part, otherwise known as enriched data, remains our exclusive property (usage analysis, statistics, etc.).

Subcontracting

We inform you that we may involve any subcontractor of our choice in the processing of your personal data. In this case, we ensure that the subcontractor complies with its obligations under the RGPD.

We undertake to sign a written contract with all our subcontractors and impose the same data protection obligations on subcontractors as ourselves. In addition, we reserve the right to audit our subcontractors to ensure compliance with the provisions of the RGPD.

Cross-border flows

Our organization alone reserves the choice of whether or not to have transborder flows for the personal data it processes.

In the event of the transfer of personal data to a country outside the European Union or to an international organization, we will inform you and ensure that your rights are properly respected. If necessary, we will sign one or more contracts to govern cross-border data flows.

The provisions relating to cross-border flows are enforceable against us, except in the derogatory cases provided for in Article 49 of the RGPD.

Register of processing operations

As data controller, we undertake to keep an up-to-date register of all processing activities carried out.

This register is a document or application that makes it possible to list all the processing that we implement as data controller.

We undertake to provide the supervisory authority, on first request, with information enabling the said authority to verify the compliance of the processing operations with current data protection regulations.

8. Safety

Security measures

We are responsible for defining and implementing the physical or logical technical security measures we deem appropriate to prevent the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of data.

To this end, we may engage the assistance of any third party of our choice to carry out vulnerability audits or penetration tests, at such intervals as we deem necessary.

In any event, we undertake, in the event of a change in the means used to ensure the security and confidentiality of personal data, to replace them with means of superior performance. No change may lead to a reduction in the level of security.

In the event of subcontracting all or part of the processing of personal data, we undertake to contractually impose security guarantees on our subcontractors by means of technical data protection measures and appropriate human resources.

Data breaches

In the event of a personal data breach, we undertake to notify the Cnil under the conditions prescribed by the RGPD.

If the said breach poses a high risk to customers, partners and prospects and the data has not been protected, we will notify the persons concerned and provide them with the necessary information and recommendations.

8. Contacts

Data Protection Officer

We have appointed a data protection officer whose contact details are as follows: dpo-dieppetourisme@racine.eu.

In the event of any new processing of personal data, we will first contact the Data Protection Officer.

If you wish to obtain specific information or ask a specific question, you can contact the Data Protection Officer, who will give you an answer within a reasonable timeframe in relation to the question or information requested.

In the event of a problem with the processing of your personal data, you can contact the designated Data Protection Officer.

Right to lodge a complaint with Cnil

Customers, partners and prospects concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the Cnil, if they consider that the processing of personal data concerning them does not comply with European data protection regulations, at the following address:

Cnil – Service des plaintes

3 Place de Fontenoy- TSA 80715 – 75334 PARIS CEDEX 07

Tel: 01 53 73 22 22

Changes

The present policy may be modified or amended at any time in response to changes in legislation, case law, Cnil decisions and recommendations, or practices.

Any new version of the present policy will be brought to the attention of customers, prospects and partners by any means we define, including by electronic means (distribution by e-mail or online, for example).

For further information

For further information, please contact the DPO at the above address, in this case dpo-dieppetourisme@racine.eu.

For more general information on the protection of personal data, please consult the Cnil website www.cnil.fr.