Privacy policy

Data protection policy of customers, prospects and partners

1. General provisions

Preamble

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on data protection (hereinafter GDPR), sets out the legal framework applicable to the processing of personal data. This text strengthens the rights and obligations of controllers, processors, data subjects and recipients of data.

Subsequently, and to implement the amendments to the GDPR, Law No. 78-17 of 6 January 1978 known as Informatique et Libertés was amended by Law No. 2018-493 of 20 June 2018 and by Ordinance No. 2018-1125 of 12 December 2018 on data protection.

This policy is implemented by the Regional Tourism Committee of Brittany (hereinafter referred to as “the body”), whose main activities are the development of the tourist offer, the promotion of tourist destinations and the marketing of brittany’s tourist offer.

As part of our activity, we implement the processing of personal data relating to the data of our customers, partners and prospects. For a good understanding of this policy, it is specified that:

customers are understood as any natural or legal person engaged under a contract of any kind whatsoever with our organization, it being specified that it is intended to work with professional customers of tourism or the general public;
the partners are understood as all natural or legal persons involved in the tourism sector and maintaining as such relations with our organization, such as tourism professionals of the department, project leaders and internal and external investors, distributors of stays, local authorities and their groups or institutional partners;
prospects are understood as any potential customer or contact recipient of promotional messages from our organization whose data has been collected directly via contact forms, events or indirectly via any partner of the organization.

Purpose and Scope

This personal data protection policy is intended to apply in the context of the implementation of the processing of personal data of our customers, partners and prospects.

As such, the purpose of this policy is to meet the information obligation of our organization and thus to formalize the rights and obligations of customers, partners and prospects with regard to the processing of their data.

This policy only covers the processing for which we are responsible as well as data described as “structured”.

The processing of personal data may be managed directly by our organisation or through a processor specifically appointed by it.

This policy is independent of any other document that may apply within the contractual relationship between us and our customers, partners and prospects. We do not implement any processing of the data of our customers, partners and prospects if it does not relate to personal data collected by or for our services or processed in connection with our services and if it does not comply with the general principles of the GDPR.

Any new treatment, modification or deletion of an existing treatment will be brought to the attention of customers, partners and prospects through a modification of this policy.

2. Customer data

Types of data collected

Non-technical data

(depending on the use case)

identity and identification (surname, first name, date of birth)
contact details (email, postal address, telephone number)
professional / personal life when necessary
bank details (RIB)
Technical data

(depending on the use case)

identification data (IP address)
connection data (logs, tokens in particular)
acceptance data (click)
location data

Origin of the data

We collect our customers’ data from:

  • data provided by the customer (paper form, purchase order, contract, business card);
  • electronic forms or forms completed by the customer;
  • data entered online (website, social networks, etc.);
  • registration for events we organize;
  • databases shared between several partners, fed and operated by all these partners;
  • communication of contacts through specialized companies or partners of our organization.

Purposes

Depending on the case, we process our customers’ data for the following purposes:

  • customer relationship management;
  • sale of touriststays, services or products directly or via distribution partners;
  • management of the organized events we organize;
  • commercial prospecting actions;
  • sending newsletters or newsfeeds;
  • organization of competitions;
  • customer account management;
  • improving our services;
  • responding to our administrative obligations;
  • community management ;
  • conducting satisfaction surveys;
  • production of statistics.

Retention periods

The retention period of our customers’ data is defined with regard to the legal and contractual constraints that weigh on us and failing that according to our needs and in particular according to the following principles:

Customers are reminded that deletion or anonymization are irreversible operations and we are no longer able to restore them.

TreatmentShelf life
CustomerdonationsDuring the duration of the contractual relations, increased by 3 years for animation and prospecting purposes, without prejudice to retention obligations or limitation periods
Technical data1 year from their collection
CookiesSee the cookies policy

Legal basis

The processing that we implement under this policy is all legally based on the implementation of contractual or pre-contractual measures or, in some cases, the consent of the customer (e.g. sending commercial prospecting messages).

3. Partner data

Types of data collected

Non-technical data

(depending on the use case)

identity and identification (name, prenom)
contact details (e-mail, postal address, telephone number)
professional life (function, job title, etc.)
bank details (RIB)
Technical data

(depending on the use case)

identification data (IP address)
connection data (logs, tokens in particular)
acceptance data (click)
location data

Origin of the data

We collect our partners’ data from:

  • information collected directly via partners,in particular via shared databases;
  • electronic forms or forms completed by the partners;
  • registrations or subscriptions to our online services (newsletter, social networks).

Purposes

Depending on the case, we process our customers’ data for the following purposes:

  • partner relationship management;
  • labeling of sites and equipment for the sectors entrusted by the organization;
  • tourism engineering operations (diagnostics and feasibility studies, support for setting up projects and grant application files);
  • sending newsletters or news feeds;
  • networking and consultation operations between the various partners;
  • marketing assistance operations for partner service providers;
  • management of the events we organize (trade fairs, workshops, webinars, etc.);
  • search operations for distribution partners;
  • production of statistics.

Retention periods

The retention period of our partners’ data is defined with regard to the legal and contractual constraints that weigh on us and failing that according to our needs and in particular according to the following principles:

TreatmentShelf life
Customer dataDuring the duration of the contractual relationship, increased by 3 years for the purpose of monitoring the relationship, without prejudice to retention obligations or limitation periods
Technical data1 year from their collection
CookiesSee the cookies policy

After the deadlines set, the data are either deleted or kept after being anonymized, in particular for reasons of statistical use. They can be kept in case of pre-litigation and litigation.

Partners are reminded that deletion or anonymization are irreversible operations and that we are no longer able to restore them.

Legal basis

The processing operations that we implement under this policy are all legally based on the implementation of contractual or pre-contractual measures.

4. Prospect data

Types of data collected

Non-technical data

(depending on the use case)

identity and identification (name,p renom,date of birth)
contact details (e-mail, postal address, telephone number)
professional life (function, job title, etc.) and personal life
Technical data

(depending on the use case)

identification data (IP address)
connection data (logs, tokens in particular)
acceptance data (click)
location data

Origin of the data

We collect data from our prospects from:

  • data provided by the prospect (paper form, business card, etc.);
  • electronic forms or forms completed by the prospect;
  • data entered online (website, social networks, etc.);
  • registration or subscription to our online services (website, social networks);
  • registration for events we organize;
  • databases shared between several partners, fed and operated by all these partners;
  • list provided by the organizers of events or conferences in which we participate;
  • communication of contacts through specialized companies or partners.

Purposes

Depending on the case, we process the data of our prospects for the following purposes:

  • management of the prospect relationship;
  • management of the events we organise;
  • commercial prospecting actions;
  • organization of competitions:
  • sending our newsletters or news feeds;
  • animation of websites in partnership with our partners;
  • operation to promote our organization and tourism in Brittany on social networks (Facebook, Twitter, YouTube, Instagram, …);
  • behavioral analysis of prospects;
  • satisfaction survey;
  • community management ;
  • production of statistics.

Retention periods

The retention period of the data of our prospects is defined with regard to the legal and contractual constraints that weigh on us and failing that according to our needs and in particular according to the following principles:

TreatmentShelf life
Customer dataFor 3 years from their collection or the last contact from the prospect
Technical data1 year from their collection
CookiesSee the cookies policy

After the deadlines set, the data are either deleted or kept after being anonymized, in particular for reasons of statistical use. They can be kept in case of pre-litigation and litigation.

Prospects are reminded that deletion or anonymization are irreversible operations and that we are no longer able to restore them.

Legal basis

The purposes of processing prospects presented above are based on the following conditions of lawfulness:

execution of pre-contractual measures;
legitimate interest of our organization;
consent of the prospect when required by law (example with regard to the sending of commercial prospecting messages).

5. Recipients of the data

We ensure that the data is only accessible to authorized internal or external recipients andsubject to an appropriate obligation of confidentiality.

Internally, we decide which recipient will be able to access which data according to an authorization policy.

All access to processing of personal data of customers, partners and prospects is subject to a traceability measure.

In addition, personal data may be communicated to any authority legally entitled to know them. In this case, we are not responsible for the conditions under which the staff of these authorities have access to and use the data.

Internal recipientsExternal recipients
The authorized staff within our structure (staff in charge of marketing, customer relationship management / qualitydepartment, service provider and prospect, administrative staff, accounting department, staff in charge of IT) and their line managers.Tourism partners who access the shared file in which the data may appear;
Prestaurants or support services;
AuthorizedP ersonnel of the services responsible for audit (auditor, services responsible for internal audit procedures, etc.);
Banking institutions;
Administration, auxiliary of justice if necessary.

6. Personal rights

Right of access and copy

Customers, partners and prospects traditionally have the right to request confirmation as to whether or not data concerning them is being processed.

They also have a right to access their data, i.e. the right to obtain communication of all information relating to the processing of their personal data.

In such a case, the customer, partner or prospect must formulate his request himself and there must be no doubt as to his identity. Otherwise, we reserve the right to request the communication of any element allowing its identification, such as in particular the copy of an identity document.

Customers, partners and prospects have the right to request a copy of their personal data being processed. However, in the event of a request for an additional copy, we may require the financial coverage of this cost by customers, partners and prospects.

If customers, partners and prospects submit their request for a copy of the data electronically, the requested information will be provided to them in a commonly used electronic form, unless otherwise requested.

Customers, partners and prospects are informed that this right of access cannot relate to confidential information or data or for which the law does not authorize communication.

The right of access must not be exercised in an abusivemanner, i.e. carried out on a regular basis for the sole purpose of destabilising the service concerned.

Update – updating and rectification

We respond to update requests:

  • automatically for online changes to fields that technically or legally can be updated;
  • upon written request from the person himself who must prove his identity.

Right to erasure

The right to erasure of customers, partners and prospects will not be applicable in cases where the processing is implemented to meet a legal obligation. Apart from this situation, customers, partners and prospects may request the deletion of their data in the following limiting cases:

  • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • where the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
  • the data subject objects to processing that is necessary for the purposes of the legitimate interests we pursue and that there are no overriding legitimate grounds for the processing;
  • the data subject objects to the processing of his or her personal data for direct marketing purposes, including profiling;
  • the personal data have been unlawfully processed.

Right to limitation

Customers, partners and prospects are informed that this right is not intended to apply insofar as the processing we implement is lawful and that all the personal data collected are necessary for the implementation of the purposes of the processing thereof.

Right to portability

We grant requests for data portability in the particular case of data communicated by customers, partners and prospects themselves, on our online services and for purposes based solely on the consents of individuals and execution of a contract. In this case, the data shall be communicated to the applicant in a structured, commonly used and machine-readable format.

Automated individual decision-making

We do not make any automated individual decisions.

The tools offered on our website are only help tools for customers and prospects and cannot be considered otherwise.

Post-mortem law

Customers, partners and prospects are informed that they have the right to formulate guidelines regarding the storage, erasure and communication of their post-mortem data.

Exercise of rights

The exercise of the aforementioned rights is carried out, at the choice of the interested party, by e-mail or by post to the following coordinates: dpo@tourismebretagne.com.

7. Additional provisions

Optional or mandatory nature of responses

Customers, partners and prospects are informed of the mandatory or optional nature of the answers by the presence of an asterisk on each personal data collection form submitted to it. In the event that answers are mandatory, we explain to them the consequences of a lack of response.

Right of use

Our organization is granted by its customers, prospects and partners a right to use and process their personal data for the purposes set out above.

However, the enriched data that are the result of processing and analysis work on our part, otherwise called the enriched data, remain our exclusive property (usage analysis, statistics, etc.).

Outsourcing

We inform you that we may involve any subcontractor of our choice in the processing of your personal data. In this case, we ensure that the processor complies with its obligations under the GDPR.

We undertake to sign a written contract with all our subcontractors and impose on the subcontractors the same data protection obligations as itself. In addition, we reserve the right to conduct an audit of our subcontractors to ensure compliance with the provisions of the GDPR.

Cross-border flows

Our organization alone reserves the choice of whether or not to have cross-border flows for the personal data it processes.

In the event of a transfer of personal data to a country outside the European Union or to an international organisation, we will inform you and ensure that your rights are properly respected. If necessary, we undertake to sign one or more contracts to regulate transborder data flows.

The provisions relating to cross-border flows are enforceable against us, except in the derogating cases provided for in Article 49 of the GDPR.

Register of treatments

As a controller, we undertake to keep an up-to-date record of all processing activities carried out.

This register is a document or application to identify all the processing that we implement as data controller.

We undertake to provide the supervisory authority, on first request, with the information enabling the said authority to verify the compliance of the processing with the data protection regulations in force.

8. Security

Security measures

It is our responsibility to define and implement the technical security measures,physical orlogical,that we deem appropriate to combat the destruction, loss, alteration or unauthorized disclosure of data in an accidental or unlawful manner.

To do this, we may be assisted by any third party of our choice to carry out, at the frequencies we deem necessary, vulnerability audits or penetration tests.

In any case, we undertake, in the event of a change in the means to ensure the security and confidentiality of personal data,to replace them with means of superior performance. No change can lead to a regression in the level of safety.

In the event of subcontracting of part or all of a processing of personal data, we undertake to contractually impose on our subcontractors security guarantees through technical measures to protect such data and appropriate human resources.

Data breach

In the event of a personal data breach, we undertake to notify the CNIL under the conditions prescribed by the GDPR.

If such breach poses a high risk to customers, partners and prospects and the data has not been protected, we will notify the data subjects and provide them with the necessary information and recommendations.

Contacts

Data Protection Officer

We have appointed adata protection delegate whose contact details are as follows: Me Eric Barby, Racine law firm, 40 rue de Courcelles, 75008 Paris, dpo@tourismebretagne.com.

In the event of further processing of personal data, we will first refer the matter to the Data Protection Officer.

If you wish to obtain a particular information or ask a particular question, you can refer the matter to the Data Protection Officer who will give you an answer within a reasonable time with regard to the question asked or the information required.

In the event of a problem with the processing of your personal data, you may refer the matter to the designated data protection officer.

Right to lodge a complaint with the CNIL

Customers, partners and prospects concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the CNIL, if they consider that the processing of personal data concerning them does not comply with European data protection regulations, at the following address:

 

CNIL – Complaints Department

3 Place de Fontenoy- TSA 80715 – 75334 PARIS CEDEX 07

Phone : 01 53 73 22 22

Evolution

This policy may be modified or modified at any time in the event of legal and jurisprudential developments, decisions and recommendations of the CNIL or customs.

Any new version of this policy will be brought to the attention of customers, prospects and partners by any changeswe define, including by electronic means (e.g. dissemination by e-mail or online).

For more information

For any further information, you can contact the DPO at the aforementioned address, in this case dpo@tourismebretagne.com

For any other more general information on the protection of personal data, you can consult the CNIL website www.cnil.fr.

 

Site for tour operators in Brittany
Close