Data protection policy for customers, prospects and partners

Preamble

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data (hereinafter “RGPD”), sets out the legal framework applicable to the processing of personal data. This text strengthens the rights and obligations of data controllers, data processors, data subjects and data recipients.
Subsequently, and in order to implement the changes made by the RGPD, Act no. 78-17 of 6 January 1978, known as the Data Protection Act, was amended by Act no. 2018-493 of 20 June 2018 and Order no. 2018-1125 of 12 December 2018 relating to data protection.
This policy is implemented by the SPL Destination Saint-Malo – Baie du Mont Saint-Michel (hereinafter referred to as “the organisation”), whose main activities are the development of the tourism offer, the promotion of tourist destinations and the marketing of the tourism offer of the Destination Saint-Malo -Baie du Mont Saint-Michel territory.

As part of our activity, we implement personal data processing relating to the data of our customers, partners and prospects. For a proper understanding of this policy, it is specified that:

• Customers are understood to mean all natural or legal persons engaged under a contract of any kind whatsoever with our organisation, it being specified that the latter is intended to work with customers who are tourism professionals or the general public ;
• Partners are understood to be any natural or legal persons involved in the tourism sector and maintaining relations with our organisation in this capacity, such as, in particular, local tourism professionals, project sponsors and internal and external investors, holiday distributors, local authorities and their groupings or institutional partners;
• Prospects are understood to be any potential customer or any contact recipient of promotional messages from our organisation whose data has been collected directly via contact forms, events or indirectly via any of the organisation’s partners.

Purpose and scope

The purpose of this personal data protection policy is to apply to the processing of the personal data of our customers, partners and prospective customers.
The purpose of this policy is to meet our organisation’s obligation to provide information and to formalise the rights and obligations of our customers, partners and prospective customers with regard to the processing of their data.The processing of personal data may be managed directly by our organisation or through a subcontractor specifically appointed by it.

This policy is independent of any other document that may apply within the contractual relationship that links us to our customers or partners. We do not carry out any processing of the data of our customers, partners and prospects if it does not relate to personal data collected by or for our services or processed in connection with our services and if it does not comply with the general principles of the GDPR.

Any new processing, modification or deletion of existing processing will be brought to the attention of customers, partners and prospects by means of an amendment to this policy.

Types of data collected

Non-technical data (Depending on use cases)

• Identity and identification (civil status, surname, first name, date of birth, pseudonym, customer number)
• Contact details (email, postal address, telephone number)
• Professional life/personal life where necessary

Transaction data (amount and date of transactions)

• Technical data (Depending on use cases)
• Connection data (IP address, logs)
• Browsing data (cookies, tracers, click)
• Location data (movement, GPS data)

Origin of data

We collect our customers’ data from:

• Data provided by the customer (paper form, order form, contract, business card);
• Electronic sheets or forms filled in by the customer;
• Data entered online (website, social networks);
• Registration to events we organise;
• Databases shared between several partners, fed and exploited by all these partners;
• Renting or acquiring databases on an exceptional basis;
• Communication of contacts via specialist companies or partners of our organisation.

Purposes and legal bases

As the case may be, we process our customers’ data for the following purposes and legal bases:

• Management of customer relations (performance of pre-contractual or contractual measures);
• Sale of tourist holidays directly or via distribution partners (performance of pre-contractual or contractual measures);
• Management of events that we organise (legitimate interest of our organisation to promote our activity);
• Sending newsletters or news feeds (legitimate interest of our organisation to promote its activity) ;
• Management of customer accounts (performance of contractual measures);
• Improving our services (legitimate interest of our organisation to improve its services);
• Responding to our administrative obligations (legal obligation);
• Community management (legitimate interest of our organisation to promote our activity);
• Producing statistics (legitimate interest of our organisation to analyse the activity of its customers).

Storage periods

The storage period for our customers’ data is defined with regard to the legal and contractual constraints on us and, failing that, according to our needs and in particular according to the following principles:

After the set time limits, the data is either deleted or stored after being anonymised, in particular for statistical purposes. It may be retained in the event of pre-litigation or litigation.
Customers are reminded that the deletion or anonymisation of data is an irreversible operation and that we are subsequently unable to restore it.

Types of data collected

Non-technical data (According to use cases)

• Identity and identification (civil status, surname, first name)
• Contact details (email, postal address, telephone number)
• Professional life where necessary
• Transaction data (amount and date of transactions)

Technical data (Depending on use cases)

• Connection data (IP address, logs)
• Browsing data (cookies, tracers, click)
• Location data (movement, GPS data)

Origin of data

We collect data from our partners from:

• Information collected directly via partners;
• Electronic forms or forms filled in by partners;
• Subscriptions or subscriptions to our online services (newsletter, social networks).

Purposes and legal bases

As the case may be, we process our partners’ data for the following purposes and legal bases:

• Management of the partner relationship (performance of pre-contractual or contractual measures);
• Labelling of sites and equipment for the channels entrusted by the organisation (performance of contractual measures) ;
• Sending newsletters or news feeds (legitimate interest of our organisation in promoting its activity);
• Tourism engineering operations (diagnostics and feasibility studies, support in setting up projects and grant application files) (performance of pre-contractual or contractual measures);
• Operations involving the networking and consultation of various partners (legitimate interest of our organisation in developing its network of partners);
• Operations involving assistance with the marketing of partner service providers (performance of pre-contractual or contractual measures);
• Management of events that we organise (trade fairs, workshops, etc.) (legitimate interest of our organisation in developing its network of partners).) (legitimate interest of our organisation to promote its activity);
• Training operations for partner service providers (execution of pre-contractual or contractual measures);
• Search operations for distributor partners (legitimate interest of our organisation to develop its network of distributor partners);
• Drawing of statistics (legitimate interest of our organisation to analyse the activity of its partners).

Storage periods

The storage period for our partners’ data is defined with regard to the legal and contractual constraints on us and, failing that, according to our needs and in particular according to the following principles:

After the set time limits, the data is either deleted or stored after being anonymised, in particular for statistical purposes. It may be kept for pre-litigation and litigation purposes.
Partners are reminded that deleting or anonymising data is an irreversible operation and that we are not subsequently able to restore it.

Types of data collected

Non-technical data (Depending on use cases)

• Identity and identification (civil status, surname, first name, date of birth)
• Contact details (email, postal address, telephone number)
• Professional life/personal life when necessary
• Technical data (Depending on use cases)
• Connection data (IP address, logs)
• Browsing data (cookies, tracers, click)
• Location data (movement, GPS data)

Origin of data

We collect our prospects’ data from:

• Data provided by the prospect (paper form, business card, etc.);
• Electronic forms filled in by the prospect;
• Data entered online (website, social networks, etc.);
• Registration or subscription to our online services (website, social networks);
• Registration to events that we organise;
• Databases pooled between several partners, fed and exploited by all of these partners;
• List communicated by the organisers of events or conferences in which we participate;
• Rental of databases on an exceptional basis;
• Communication of contacts via specialised companies or partners.

Purposes and legal bases

As the case may be, we process our prospects’ data for the following purposes and legal bases:

• Management of the prospect relationship (legitimate interest of our organisation to promote its activity);
• Management of the events we organise (legitimate interest of our organisation to promote its activity);
• Sending of our newsletters or news feeds (consent);
• Promotion of websites in partnership with our partners (legitimate interest of our organisation to promote its activity);
• Promotion of our organisation and tourism on social networks (Facebook, Twitter, YouTube, Instagram) (legitimate interest of our organisation to promote its activity);
• Behavioural analysis of prospects (legitimate interest of our organisation to analyse the activity of its prospects);
• Community management (legitimate interest of our organisation to promote its activity);
• Producing statistics (legitimate interest of our organisation to analyse the activity of its prospects).

Storage periods

The storage period for our prospects’ data is defined with regard to the legal and contractual constraints on us and, failing that, according to our needs and in particular according to the following principles:

After the set deadlines, the data is either deleted or kept after being anonymised, in particular for statistical purposes. It may be retained in the event of pre-litigation or litigation.
Prospects are reminded that deleting or anonymising data is an irreversible operation and that we are subsequently unable to restore it.

We ensure that data is only accessible to authorised internal or external recipients who are subject to an appropriate obligation of confidentiality.

Internally, we decide which recipient may have access to which data according to an authorisation policy.

In addition, personal data may be communicated to any authority legally entitled to know about it. In this case, we are not responsible for the conditions under which the staff of these authorities have access to and use the data.

Right of access and copy

Customers, partners and prospects have the right to request confirmation as to whether or not data relating to them is being processed.
They also have a right of access to their data, i.e. the right to obtain communication of all information relating to the processing of their personal data.

In such a case, the customer, partner or prospect must formulate their request themselves and there must be no doubt as to their identity. Failing this, we reserve the right to request the communication of any element enabling its identification, such as in particular a copy of an identity document.

Customers, partners and prospects have the right to request a copy of their personal data being processed. However, in the event of a request for an additional copy, we may require customers, partners and prospects to bear the cost of this.

If customers, partners and prospects submit their request for a copy of the data electronically, the information requested will be provided to them in a commonly used electronic form, unless they request otherwise.

Customers, partners and prospects are informed that this right of access cannot relate to confidential information or data or for which the law does not authorise disclosure.

The right of access must not be exercised in an abusive manner i.e. carried out on a regular basis with the sole aim of destabilising the service concerned.

Updating – updating and rectification

We comply with requests to update:

• Automatically for online changes to fields that technically or legally can be updated;
• On written request from the person themselves.

Right to erasure

The right to erasure of customers, partners and prospects will not be applicable in cases where the processing is implemented to meet a legal obligation. Apart from this situation, customers, partners and prospects may request the deletion of their data in the following limited cases:

• Personal data is no longer necessary with regard to the purposes for which it was collected or otherwise processed;
• When the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
• The data subject objects to processing that is necessary for the purposes of the legitimate interests we are pursuing and there is no compelling legitimate reason for the processing;
• The data subject objects to processing of his or her personal data for canvassing purposes, including profiling;
• The personal data has been processed unlawfully.

Right to limitation

Customers, partners and prospects are informed that this right is only intended to apply in the following cases:

• The accuracy of the personal data is contested by the data subject, for a period of time allowing us to verify the accuracy of the personal data;
• The processing is unlawful and the data subject objects to their erasure and demands instead that their use be restricted;
• We no longer need the personal data for the purposes of the processing but they are still necessary for the data subject for the establishment, exercise or defence of legal claims;
• The data subject has objected to the processing, during the verification as to whether the legitimate grounds pursued by the controller prevail over those of the data subject.

Right to data portability

We grant requests for data portability in the specific case of data communicated by customers, partners and prospects themselves, on our online services and for purposes based solely on the consent of the individuals and performance of a contract. In this case, the data is communicated to the requester in a structured, commonly used and machine-readable format.

Individual automated decision

We do not make any individual automated decisions.

Post-mortem right

Customers, partners and prospects are informed that they have the right to formulate directives concerning the retention, deletion and communication of their post-mortem data.

Exercise of rights

The aforementioned rights may be exercised, at the option of the interested party, by e-mail or by post to the following address: SPL Destination Saint-Malo – Baie du Mont Saint-Michel – Esplanade Saint-Vincent 35400 Saint-Malo.

Optional or obligatory nature of responses

Customers, partners and prospects are informed of the obligatory or optional nature of responses by the presence of an asterisk on each personal data collection form submitted to them. Where answers are compulsory, we explain the consequences of not answering.

Right of use

Our organisation is granted by its customers, prospects and partners a right to use and process their personal data for the purposes set out above.

However, enriched data that is the result of processing and analysis work on our part remains our exclusive property (usage analysis, statistics, etc.).

Subcontracting

We inform you that we may involve any subcontractor of our choice in the processing of your personal data. In this case, we will ensure that the sub-processor complies with its obligations under the GDPR.
We undertake to sign a written contract with all our sub-processors and to impose the same data protection obligations on sub-processors as on ourselves. You can obtain a copy of these guarantees by writing to the email address qualite@saint-malo-tourisme.com

In addition, we reserve the right to audit our subcontractors to ensure compliance with the provisions of the RGPD.

Processing register

As data controller, we undertake to keep an up-to-date register of all processing activities carried out.

This register is a document or application allowing us to list all the processing activities that we implement as data controller.

We undertake to provide the supervisory authority, on first request, with the information enabling the said authority to verify the compliance of the processing activities with the regulations in force.

Security measures

We are responsible for defining and implementing the technical, physical or logical security measures we deem appropriate to combat the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of data.

To this end, we may enlist the assistance of any third party of our choice to carry out vulnerability audits or penetration tests at such intervals as we deem necessary.

In any event, we undertake, in the event of a change in the means designed to ensure the security and confidentiality of personal data, to replace them with means of superior performance. No change may lead to a regression in the level of security.

In the event of subcontracting all or part of the processing of personal data, we undertake to contractually impose security guarantees on our subcontractors by means of technical measures to protect this data and the appropriate human resources.

Data breach

In the event of a personal data breach, we undertake to notify the CNIL under the conditions prescribed by the RGPD.

If the said breach poses a high risk to customers, partners and prospective customers and the data has not been protected, we will notify the persons concerned and provide them with the necessary information and recommendations.

We have appointed a Data Protection Officer / RGPD Referent whose contact details are as follows:
Data Protection Officer: Cabinet Racine – Eric Barbry dpo@racine.eu
RGPD Referent: Marianne Abgrall – qualite@saint-malo-tourisme.com

In the event of any new processing of personal data, we will first refer the matter to the Data Protection Officer / RGPD Referent.

If you wish to obtain information or ask a specific question, you may refer the matter to the Data Protection Officer / RGPD Referent, who will give you an answer within a reasonable timeframe with regard to the information required or the question asked.

If you encounter a problem with the processing of your personal data, you may refer the matter to the designated Data Protection Officer / RGPD Referent.

Right to lodge a complaint with the CNIL

Customers, partners and prospects concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the CNIL, if they consider that the processing of personal data concerning them does not comply with European data protection regulations, at the following address:

CNIL – Service des plaintes
3 Place de Fontenoy- TSA 80715 – 75334 PARIS CEDEX 07
Tél: 01 53 73 22 22

Evolution

This policy may be amended or modified at any time in the event of changes in legislation, case law, CNIL decisions and recommendations or usage.

Any new version of this policy will be brought to the attention of customers, prospects and partners by any means we define, including electronically (distribution by e-mail or online for example).

For more information

For any additional information, you can contact us at the above address, in this case SPL Destination Saint-Malo – Baie du Mont Saint-Michel Mme la Référente RGPD – Esplanade Saint-Vincent 35400 Saint-Malo.

For any other more general information on the protection of personal data, you can consult the CNIL website: www.cnil.fr.