Quai Du WaultQuai Du Wault Laurent Javoy Hello Lille 7 Min
©Quai Du Wault|Laurent Javoy - Hello Lille

Privacy policy

  1. Home
  2. Privacy policy

General provisions

Preamble

Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on data protection (hereinafter RGPD), sets the legal framework applicable to the processing of personal data. This text strengthens the rights and obligations of data controllers, processors, data subjects and data recipients.

Subsequently, and in order to implement the modifications of the RGPD, the French Data Protection Act n°78-17 of January 6, 1978 was amended by Act n°2018-493 of June 20, 2018 by Ordinance n°2018-1125 of December 12, 2018.

This policy is implemented by the Lille Metropolitan Tourist Office (hereinafter referred to as “the organization”), whose main activities are the development of the tourism offer, the promotion of tourist destinations and the marketing of the tourism offer of the Lille metropolis territory.

As part of our activities, we process personal data relating to our customers, partners and prospective customers. For a better understanding of the present policy, it is specified that :

  • customers are understood to be all individuals or legal entities who have entered into a contract of any kind with our organization, it being specified that the latter is intended to work with customers in the tourism industry or the general public;
  • partners are defined as any natural or legal persons working in the tourism sector and maintaining relations with our organization in this capacity, such as local tourism professionals, project sponsors and internal and external investors, holiday distributors, local authorities and their associations, or institutional partners;
  • Prospects are understood to be any potential customer or any contact recipient of promotional messages from our organization, whose data has been collected directly via contact forms, events or indirectly via any of our organization’s partners.

Purpose and scope

This personal data protection policy is intended to apply to the processing of the personal data of our customers, partners and prospects.

As such, the purpose of this policy is to satisfy our organization’s obligation to provide information, and thus to formalize the rights and obligations of our customers, partners and prospects with regard to the processing of their data.

This policy applies only to data processing for which we are responsible, and to “structured” data.

The processing of personal data may be managed directly by our organization or through a subcontractor specifically appointed by it.

This policy is independent of any other document that may apply within the contractual relationship that binds us to our customers, partners and prospects. We do not implement any processing of the data of our customers, partners and prospects if it does not relate to personal data collected by or for our services or processed in connection with our services and if it does not comply with the general principles of the GDPR.

Any new processing, modification or deletion of existing processing will be brought to the attention of customers, partners and prospects by means of an amendment to this policy.

Customer data

Types of data collected

Non-technical data
  • (identity and identification (surname, first name, date of birth, pseudonym, customer number)
  • contact details (e-mail, postal address, telephone number)
  • professional/personal life where necessary
Technical data
  • (depending on use) – identification data (IP address)
  • connection data (logs, token, etc.)
  • acceptance data (click)
  • location data
Data origin

We collect customer data from :

  • data supplied by the customer (paper form, order form, contract, business card) ;
  • electronic forms filled in by the customer;
  • data entered online (website, social networks, etc.);
  • registration for events we organize;
  • databases shared by several partners, fed and used by all these partners;
  • exceptional rental or acquisition of databases;
  • communication of contacts via specialized companies or partners of our organization.

Purposes

As the case may be, we process customer data for the following purposes:

  • customer relationship management ;
  • sale of tourist stays directly or via distribution partners;
  • management of events organized by us;
  • sending newsletters or information feeds;
  • customer account management;
  • improving our services;
  • meeting our administrative obligations;
  • community management;
  • statistics.

Retention periods

The length of time we keep our customers’ data is defined in the light of the legal and contractual constraints we are subject to, and otherwise according to our needs, and in particular in accordance with the following principles:

Processing retention period
  • Customer data: for the duration of the contractual relationship, plus 3 years for promotional and canvassing purposes, without prejudice to retention obligations or limitation periods;
  • Technical data: 1 year from collection;
  • Cookies 13 months.

Once these time limits have elapsed, data is either deleted or kept after being anonymized, notably for statistical purposes. Data may be kept for pre-litigation and litigation purposes.

Customers are reminded that deletion or anonymization are irreversible operations, and we are subsequently unable to restore them.

Legal basis

The legal basis for the processing operations we carry out under this policy is the implementation of contractual or pre-contractual measures or, in certain cases, the customer’s consent (e.g.: sending of commercial prospecting messages).

Partner data

Types of data collected

Non-technical data
  • (depending on use) identity and identification (surname, first name, date of birth, pseudonym)
  • contact details (e-mail, postal address, telephone number)
  • professional details (position, job title, etc.)
Technical data
  • (depending on use) identification data (IP address)
  • connection data (logs, token, etc.)
  • acceptance data (click)
  • location data

Data origin

We collect data from our partners from :

  • information collected directly from partners ;
  • electronic forms filled in by partners;
  • registrations or subscriptions to our online services (newsletter, social networks).

Purposes

Where applicable, we process customer data for the following purposes:

  • partner relationship management ;
  • certification of sites and facilities in the sectors entrusted to us by the organization
  • tourism engineering operations (diagnostics and feasibility studies, support in setting up projects and subsidy applications) ;
  • networking and consultation with various partners;
  • marketing support for partner service providers;
  • management of the events we organize (trade shows, workshops, etc.);
  • training operations for partner service providers;
  • search for distribution partners;
  • statistics.

Retention periods

The length of time we retain our partners’ data is defined in the light of our legal and contractual obligations and, failing that, according to our needs, and in particular according to the following principles:

Processing retention period
  • Customer data: for the duration of the contractual relationship, plus 3 years for relationship monitoring purposes, without prejudice to retention obligations or limitation periods;
  • Technical data: 1 year from collection;
  • Cookies: 13 months

Once these time limits have elapsed, data is either deleted or kept after being anonymized, notably for statistical purposes. Data may be kept for pre-litigation and litigation purposes.

Partners are reminded that deletion or anonymization are irreversible operations, and that we are not subsequently able to restore them.

Legal basis

The legal basis for the processing operations we carry out under this policy is the implementation of contractual or pre-contractual measures.

Prospect data

Types of data collected

Non-technical data
  • (depending on use) identity and identification (surname, first name, date of birth, pseudonym) ;
  • contact details (e-mail, postal address, telephone number)
  • professional details (position, job title, etc.)
Technical data
  • (depending on use) identification data (IP address) ;
  • connection data (logs, token, etc.);
  • acceptance data (click);
  • location data.

Data origin

We collect our prospects’ data from :

  • data supplied by the prospect (paper form, business card, etc.) ;
  • forms or electronic forms filled in by the prospect;
  • data entered online (website, social networks, etc.);
  • registration or subscription to our online services (website, social networks);
  • registration for events we organize;
  • databases shared by several partners, fed and used by all these partners;
  • lists provided by the organizers of events or conferences in which we participate;
  • exceptional database rentals;
  • communication of contacts via specialized companies or partners.

Purposes

Depending on the case, we process our prospects’ data for the following purposes:

  • prospect relationship management ;
  • management of events we organize;
  • sending our newsletters or news feeds;
  • animation of websites in partnership with our partners;
  • promoting our organization and tourism in Lille on social networks (Facebook, YouTube, Instagram, etc.);
  • behavioral analysis of prospects ;
  • community management;
  • statistics.

Retention periods

The length of time we keep our prospects’ data is defined in the light of the legal and contractual constraints imposed on us and, failing that, according to our needs, and in particular according to the following principles:

Processing retention period
  • Customer data: 3 years from the date of collection or last contact with the prospect;
  • Technical data: 1 year from collection;
  • Cookies: 13 months.

Once these periods have elapsed, data is either deleted or kept after being anonymized, notably for statistical purposes. Data may be kept for pre-litigation and litigation purposes.

Prospects are reminded that deletion or anonymization are irreversible operations and that we are not subsequently able to restore them.

Legal basis

The above-mentioned purposes for processing prospects are based on the following conditions of lawfulness:

  • performance of pre-contractual measures ;
  • our organization’s legitimate interests
  • the prospect’s consent when required by law (e.g. for the sending of commercial prospecting messages).

Data recipients

We ensure that data is only accessible to authorized internal or external recipients who are subject to an appropriate obligation of confidentiality. Internally, we decide which recipients will have access to which data according to an authorization policy.

All accesses concerning the processing of personal data of customers, partners and prospects are subject to traceability measures. In addition, personal data may be communicated to any authority legally empowered to deal with it. In this case, we are not responsible for the conditions under which the staff of these authorities have access to and use the data.

Internal and external recipients

  • Authorized personnel within our organization (marketing, customer relations management, service providers and prospects, administrative staff, IT personnel) and their line managers;
  • Tourist partners who access the shared file in which data may appear;
  • Service providers or support services;
  • Authorized staff of auditing departments (auditors, departments responsible for internal audit procedures, etc.);
  • Administrative and judicial authorities, where applicable.

Individual rights

Access and copy rights

Customers, partners and prospects traditionally have the right to request confirmation as to whether or not data concerning them is being processed. They also have a right of access to their data, i.e. the right to obtain communication of all information relating to the processing of their personal data.

In such a case, the customer, partner or prospect must formulate his or her request himself or herself, and there must be no doubt as to his or her identity. Failing this, we reserve the right to ask for any information that would enable them to be identified, such as a copy of an identity document.

Customers, partners and prospects have the right to request a copy of their personal data being processed. However, in the event of a request for an additional copy, we may require customers, partners and prospects to bear the cost of this.

If customers, partners and prospects submit their request for a copy of the data electronically, the information requested will be provided in a commonly used electronic form, unless otherwise requested. Customers, partners and prospective customers are hereby informed that this right of access may not relate to confidential information or data, or data for which communication is not permitted by law. The right of access must not be exercised in an abusive manner, i.e. on a regular basis with the sole aim of destabilizing the service concerned.

Updating and rectification

We respond to requests for updates :

  • automatically for online modifications to fields that can be technically or legally updated;
  • upon written request from the person concerned, who must provide proof of identity.

Right to erasure

The right to erasure of customers, partners and prospects will not apply in cases where processing is carried out to meet a legal obligation. Apart from this situation, customers, partners and prospects may request the deletion of their data in the following limited cases:

  • personal data is no longer required for the purposes for which it was collected or otherwise processed;
  • when the data subject withdraws the consent on which the processing is based, and there is no other legal basis for the processing;
  • the data subject objects to processing that is necessary for the purposes of our legitimate interests and there is no compelling legitimate reason for the processing;
  • the data subject objects to the processing of his/her personal data for canvassing purposes, including profiling;
  • the personal data has been processed unlawfully.

Right to restriction

Customers, partners and prospects are informed that this right is not intended to apply insofar as the processing we carry out is lawful and all personal data collected is necessary for the purposes for which it is processed.

Right to portability

We grant requests for data portability in the specific case of data communicated by customers, partners and prospects themselves, on our online services and for purposes based solely on the consent of individuals and performance of a contract. In this case, the data is communicated to the requester in a structured, commonly used and machine-readable format.

Automated individual decisions

We do not make any automated individual decisions. The tools offered on our website are only intended to help customers and prospects and should not be considered otherwise.

Post-mortem rights

Customers, partners and prospects are informed that they have the right to formulate directives concerning the conservation, deletion and communication of their post-mortem data.

Exercise of rights

The aforementioned rights may be exercised, at the option of the person concerned, by e-mail or by post to the following address: dpo-otlille@racine.eu.

Additional provisions

Optional or mandatory responses

Customers, partners and prospects are informed of the compulsory or optional nature of their responses by the presence of an asterisk on each personal data collection form submitted. Where answers are mandatory, we explain the consequences of not answering.

Right of use

Our customers, prospects and partners grant us the right to use and process their personal data for the purposes set out above. However, enriched data resulting from processing and analysis on our part, otherwise known as enriched data, remains our exclusive property (usage analysis, statistics, etc.).

Subcontracting

We inform you that we may involve any subcontractor of our choice in the processing of your personal data. In this case, we ensure that the subcontractor complies with its obligations under the RGPD.

We undertake to sign a written contract with all our subcontractors and impose the same data protection obligations on subcontractors as ourselves. In addition, we reserve the right to audit our subcontractors to ensure compliance with the provisions of the RGPD.

Cross-border flows

Our organization alone reserves the choice of whether or not to have transborder flows for the personal data it processes. In the event of the transfer of personal data to a country outside the European Union or to an international organization, we will inform you and ensure that your rights are properly respected. If necessary, we will sign one or more contracts to govern cross-border data flows.

The provisions relating to cross-border flows are enforceable against us, except in the derogatory cases provided for in Article 49 of the RGPD.

Register of processing operations

As data controller, we undertake to keep an up-to-date register of all processing activities carried out. This register is a document or application that makes it possible to list all the processing that we implement as data controller.

We undertake to provide the supervisory authority, on first request, with information enabling the said authority to verify the compliance of processing with current data protection regulations.

Security

Security measures

We are responsible for defining and implementing the physical or logical technical security measures we deem appropriate to prevent the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of data. To this end, we may engage the assistance of any third party of our choice to carry out vulnerability audits or penetration tests, at such intervals as we deem necessary.

In any event, we undertake, in the event of a change in the means used to ensure the security and confidentiality of personal data, to replace them with means of superior performance. No change may lead to a reduction in the level of security.

In the event of subcontracting all or part of the processing of personal data, we undertake to contractually impose security guarantees on our subcontractors, by means of technical data protection measures and appropriate human resources.

Data breaches

In the event of a personal data breach, we undertake to notify the Cnil under the conditions prescribed by the RGPD. If the said breach poses a high risk to customers, partners and prospects and the data has not been protected, we will notify the persons concerned and provide them with the necessary information and recommendations.

Contacts

Data protection delegate / RGPD referent
We have appointed a data protection delegate / RGPD referent whose contact details are as follows: Mr Eric BARBRY, 40 rue de Courcelles 75008 PARIS, 0144824300.

In the event of any new processing of personal data, we will first refer the matter to the data protection delegate / an RGPD referent.

If you wish to obtain specific information or ask a particular question, you may refer the matter to the data protection delegate / an RGPD referent who will give you an answer within a reasonable timeframe with regard to the question asked or the information required.

In the event of a problem encountered with the processing of your personal data, you may refer the matter to the data protection delegate / a designated RGPD referent.

Right to lodge a complaint with Cnil

Customers, partners and prospects concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the Cnil, if they consider that the processing of personal data concerning them does not comply with European data protection regulations, at the following address:

Cnil – Service des plaintes
3 Place de Fontenoy- TSA 80715 – 75334 PARIS CEDEX 07
Tel: 01 53 73 22 22

Changes

The present policy may be modified or amended at any time in response to changes in legislation, case law, Cnil decisions and recommendations, or practices.

Any new version of the present policy will be brought to the attention of customers, prospects and partners by any means we define, including by electronic means (distribution by e-mail or online, for example).

For further information

For further information, please contact the DPO at the above address, in this case dpo-otlille@racine.eu.

For more general information on the protection of personal data, please consult the Cnil website.