1. General provisions
Preamble
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on data protection (hereinafter referred to as the RGPD), sets the legal framework applicable to the processing of personal data. This text strengthens the rights and obligations of data controllers, data processors, data subjects and data recipients.
Subsequently, and in order to implement the modifications of the RGPD, the law n°78-17 of January 6, 1978, known as "Informatique et libertés", was modified by the law n°2018-493 of June 20, 2018 by the ordinance n°2018-1125 of December 12, 2018 relating to data protection.
This policy is implemented by the Lille Tourist Office (hereinafter referred to as "the organisation"), whose main activities are the development of the tourist offer, the promotion of tourist destinations and the marketing of the tourist offer of the Lille territory.
Within the framework of our activity, we implement personal data processing relating to the data of our customers, partners and prospects. For a good understanding of the present policy, it is specified that
- Clients are understood to be all natural or legal persons who have entered into a contract of any kind with our organisation, it being specified that the latter is intended to work with professional tourism clients or the general public;
- partners are understood to be all natural or legal persons involved in the tourism sector and maintaining relations with our organisation in this respect, such as, in particular, tourism professionals in the department, project leaders and internal and external investors, holiday distributors, local authorities and their groupings or institutional partners;
- Prospects are understood to be any potential client or any contact recipient of promotional messages from our organisation whose data has been collected directly via contact forms, events or indirectly via any partner of the organisation.
Purpose and scope
This data protection policy is intended to apply to the processing of personal data of our customers, partners and prospects.
As such, the purpose of this policy is to meet the information obligation of our organisation and thus to formalise the rights and obligations of our clients, partners and prospects with regard to the processing of their data.
This policy only deals with processing for which we are responsible and with data that is described as "structured".
The processing of personal data may be managed directly by our organisation or through a processor specifically appointed by it.
This policy is independent of any other document that may apply within the contractual relationship between us and our customers, partners and prospects. We do not process any data of our customers, partners and prospects if it does not relate to personal data collected by or for our services or processed in connection with our services and if it does not comply with the general principles of the GDPR.
Any new processing, modification or deletion of existing processing will be made known to customers, partners and prospects by means of an amendment to this policy.
2. Customer data
Types of data collected
Non-technical data
(identity and identification (surname, first name, date of birth, pseudo, customer number)
- contact details (e-mail, postal address, telephone number)
- professional/personal life when necessary
Technical data
(depending on the use case) - identification data (IP address)
- connection data (e.g. logs, token)
- acceptance data (click)
- location data
Origin of the data
We collect our customers' data from :
- data provided by the customer (paper form, order form, contract, business card) ;
- electronic forms filled in by the customer;
- data entered online (website, social networks, ...);
- registration to events that we organise;
- databases shared between several partners, fed and exploited by all these partners;
- rental or acquisition of databases on an exceptional basis;
- communication of contacts through specialised companies or partners of our organisation.
Purpose and scope
This personal data protection policy is intended to apply to the processing of personal data of our customers, partners and prospects.
As such, the purpose of this policy is to meet the information obligation of our organisation and thus to formalise the rights and obligations of our clients, partners and prospects with regard to the processing of their data.
This policy only deals with processing for which we are responsible and with data that is described as "structured".
The processing of personal data may be managed directly by our organisation or through a processor specifically appointed by it.
This policy is independent of any other document that may apply within the contractual relationship between us and our customers, partners and prospects. We do not process any data of our customers, partners and prospects if it does not relate to personal data collected by or for our services or processed in connection with our services and if it does not comply with the general principles of the GDPR.
Any new processing, modification or deletion of existing processing will be made known to customers, partners and prospects by means of an amendment to this policy.
2. Customer data
Types of data collected
Non-technical data
(identity and identification (surname, first name, date of birth, pseudo, customer number)
- contact details (e-mail, postal address, telephone number)
- professional/personal life when necessary
Technical data
(depending on the use case) - identification data (IP address)
- connection data (e.g. logs, token)
- acceptance data (click)
- location data
Origin of the data
We collect our customers' data from :
- data provided by the customer (paper form, order form, contract, business card) ;
- electronic forms filled in by the customer;
- data entered online (website, social networks, ...);
- registration to events that we organise;
- databases shared between several partners, fed and exploited by all these partners;
- rental or acquisition of databases on an exceptional basis;
- communication of contacts through specialised companies or partners of our organisation.
Purposes
Depending on the case, we process our customers' data for the following purposes
- customer relationship management ;
- sale of tourist trips directly or via distribution partners;
- management of events organised by us;
- sending newsletters or news feeds;
- management of customer accounts;
- improving our services;
- meeting our administrative obligations;
- community management;
- compiling statistics.
Retention periods
The length of time we keep our customers' data is defined in the light of the legal and contractual constraints on us and, failing that, according to our needs and in particular according to the following principles:
Processing Retention period
Data relating to customers For the duration of the contractual relationship, plus 3 years for the purposes of promotion and prospecting, without prejudice to retention obligations or limitation periods
Technical data 1 year from the date of collection
Cookies 13 months
After the set periods, the data is either deleted or kept after being anonymised, in particular for statistical purposes. They may be kept in the event of pre-litigation and litigation.
Customers are reminded that deletion or anonymisation are irreversible operations and we are no longer able to restore them.
Legal basis
The processing that we implement under this policy is all legally based on the implementation of contractual or pre-contractual measures or, in certain cases, on the customer's consent (e.g.: sending commercial prospecting messages).
3. Data from partners
Types of data collected
Non-technical data
(identity and identification (surname, first name, date of birth, pseudo)
- contact details (e-mail, postal address, telephone number)
- professional life (function, job title, etc.)
Technical data
(depending on the use case) - identification data (IP address)
- connection data (e.g. logs, token)
- acceptance data (click)
- location data
Origin of the data
We collect data from our partners from :
- information collected directly from the partners ;
- forms or electronic forms filled in by the partners;
- registrations or subscriptions to our online services (newsletter, social networks).
Purposes
Depending on the case, we process our customers' data for the following purposes
- management of partner relations;
- labelling of sites and facilities for the sectors entrusted by the organisation
- tourism engineering operations (diagnostics and feasibility studies, support for project set-up and grant application files)
- networking and consultation with the various partners
- operations to help market our partner service providers;
- management of the events we organise (trade fairs, workshops, etc.);
- training operations for partner service providers;
- search for distribution partners;
- statistics.
Retention periods
The length of time we keep our partners' data is defined in the light of the legal and contractual constraints on us and, failing that, according to our needs and in particular according to the following principles:
Processing Retention period
Customer data For the duration of the contractual relationship, increased by 3 years for the purpose of monitoring the relationship, without prejudice to retention obligations or limitation periods
Technical data 1 year from collection
Cookies 13 months
After the set periods, the data is either deleted or kept after being anonymised, in particular for statistical purposes. They may be kept in the event of pre-litigation and litigation.
Partners are reminded that deletion or anonymisation are irreversible operations and that we are no longer able to restore them.
Legal basis
The processing that we implement under this policy is all legally based on the implementation of contractual or pre-contractual measures.
4. Prospective customers' data
Types of data collected
Non-technical data
(identity and identification (surname, first name, date of birth, pseudo)
- contact details (e-mail, postal address, telephone number)
- professional life (function, job title, etc.)
Technical data
(depending on the use case) - identification data (IP address)
- connection data (e.g. logs, token)
- acceptance data (click)
- location data
Origin of the data
We collect our prospects' data from :
- data provided by the prospect (paper form, business card, etc.) ;
- forms or electronic forms filled in by the prospect;
- data entered online (website, social networks, etc.);
- registration or subscription to our online services (website, social networks);
- registration to events that we organise;
- databases shared between several partners, fed and used by all these partners;
- list communicated by the organisers of events or conferences in which we participate;
- Rental of databases on an exceptional basis;
- communication of contacts through specialised companies or partners.
Purposes
Depending on the case, we process the data of our prospects for the following purposes
- management of the prospect relationship;
- management of the events we organise;
- sending our newsletters or news feeds;
- animation of websites in partnership with our partners;
- promotion of our organisation and tourism in (to be completed) on social networks (Facebook, Twitter, YouTube, Instagram, etc.);
- behavioural analysis of prospects ;
- community management ;
- statistics.
Retention periods
The length of time we keep our prospects' data is defined in the light of the legal and contractual constraints on us and, failing that, according to our needs and in particular according to the following principles:
Processing Retention period
Customer data For 3 years from the date of collection or last contact from the prospect
Technical data 1 year from collection
Cookies 13 months
After the set periods, the data is either deleted or kept after being anonymised, particularly for statistical purposes. They may be kept in the event of pre-litigation and litigation.
Prospects are reminded that deletion or anonymisation are irreversible operations and that we are no longer able to restore them.
Legal basis
The purposes of processing of prospects set out above are based on the following lawfulness conditions:
- performance of pre-contractual measures ;
- legitimate interest of our organisation;
- consent of the prospect when required by law (e.g. for the sending of commercial prospecting messages).
5. Recipients of the data
We ensure that data is only accessible to authorised internal or external recipients who are subject to an appropriate obligation of confidentiality.
Internally, we decide which recipient will have access to which data according to an authorisation policy.
All accesses concerning the processing of personal data of customers, partners and prospects are subject to a traceability measure.
Furthermore, personal data may be communicated to any authority legally entitled to know about it. In this case, we are not responsible for the conditions under which the personnel of these authorities have access to and use the data.
Internal recipients External recipients
Authorised staff within our organisation (marketing staff, customer relationship management, service providers and prospects, administrative staff, IT staff) and their line managers. - Tourist partners who access the shared file in which the data may appear;
- service providers or support services;
- Authorised staff of the services responsible for control (auditor, services responsible for internal control procedures, etc.);
- administration, court officials, where applicable.
6. Rights of individuals
Right of access and copy
Customers, partners and prospects traditionally have the right to request confirmation as to whether or not data concerning them are being processed.
They also have a right of access to their data, i.e. the right to obtain all information relating to the processing of their personal data.
In such a case, the client, partner or prospect must formulate his request himself and there must be no doubt as to his identity. Failing this, we reserve the right to request the communication of any element allowing the client, partner or prospect to be identified, such as a copy of an identity document.
Customers, partners and prospects have the right to request a copy of their personal data being processed. However, in the event of a request for an additional copy, we may require customers, partners and prospects to bear the cost of this.
If customers, partners and prospective customers request a copy of the data electronically, the requested information will be provided in a commonly used electronic form, unless otherwise requested.
Customers, partners and prospective customers are informed that this right of access may not relate to confidential information or data, or to information which may not be disclosed by law.
The right of access must not be exercised in an abusive manner, i.e. on a regular basis with the sole aim of destabilising the service concerned.
Updating - updating and rectification
We comply with requests for updates:
- automatically for online changes to fields that can technically or legally be updated;
- on written request from the person himself/herself who must prove his/her identity.
Right to erasure
The right to erasure of customers, partners and prospects will not be applicable in cases where the processing is carried out to meet a legal obligation. Apart from this situation, customers, partners and prospects may request the deletion of their data in the following limited cases
- personal data is no longer necessary for the purposes for which it was collected or otherwise processed
- when the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
- the data subject objects to processing that is necessary for the purposes of our legitimate interests and there is no compelling legitimate reason for the processing;
- the data subject objects to the processing of his or her personal data for the purpose of marketing, including profiling;
- the personal data have been processed unlawfully.
Right to limitation
Customers, partners and prospects are informed that this right is not intended to apply insofar as the processing operations we carry out are lawful and that all personal data collected is necessary for the implementation of the purposes of the processing thereof.
Right to portability
We grant requests for data portability in the particular case of data provided by customers, partners and prospects themselves, on our online services and for purposes based solely on the consent of the individuals and performance of a contract. In this case, the data is provided to the applicant in a structured, commonly used and machine-readable format.
Automated individual decision making
We do not make any automated individual decisions.
The tools offered on our website are only tools to help customers and prospects and should not be considered otherwise.
Post-mortem rights
Customers, partners and prospects are informed that they have the right to formulate directives concerning the conservation, deletion and communication of their post-mortem data.
Exercise of rights
The exercise of the aforementioned rights is carried out, at the choice of the person concerned, by e-mail or by post to the following address: dpo-otlille@racine.eu.
1. Additional provisions
Optional or compulsory nature of responses
Customers, partners and prospects are informed of the compulsory or optional nature of the answers by the presence of an asterisk on each personal data collection form submitted to them. In the case where answers are compulsory, we explain the consequences of not answering.
Right of use
Our organisation is granted by its customers, prospects and partners a right to use and process their personal data for the purposes set out above.
However, the enriched data which are the result of processing and analysis on our part, otherwise known as enriched data, remain our exclusive property (analysis of use, statistics, etc.).
Subcontracting
We inform you that we may involve any subcontractor of our choice in the processing of your personal data. In this case, we will ensure that the subcontractor complies with its obligations under the GDPR.
We undertake to sign a written contract with all our subcontractors and impose the same data protection obligations on subcontractors as we do ourselves. In addition, we reserve the right to audit our processors to ensure compliance with the provisions of the GDPR.
Cross-border flows
Our organisation reserves the right to decide whether or not to have transborder flows of personal data that it processes.
If personal data is transferred to a country outside the European Union or to an international organisation, we will inform you and ensure that your rights are respected. If necessary, we will sign one or more contracts to govern transborder data flows.
The provisions relating to cross-border data flows are enforceable against us, except in the derogations provided for in Article 49 of the GDPR.
Register of processing operations
As a data controller, we undertake to keep an up-to-date register of all processing activities carried out.
This register is a document or application that allows us to identify all the processing activities that we carry out as a controller.
We undertake to provide the supervisory authority, on first request, with information enabling the said authority to verify the compliance of the processing with the data protection regulations in force.
2. Security
Security measures
It is our responsibility to define and implement the technical security measures, physical or logical, that we consider appropriate to combat the destruction, loss, alteration or unauthorised disclosure of data in an accidental or illicit manner.
To this end, we may engage the assistance of any third party of our choice to conduct vulnerability audits or penetration tests at such intervals as we deem necessary.
In any event, we undertake, in the event of a change in the means of ensuring the security and confidentiality of personal data, to replace them with means of superior performance. No change may lead to a reduction in the level of security.
In the event of subcontracting all or part of the processing of personal data, we undertake to contractually impose security guarantees on our subcontractors by means of technical measures to protect such data and the appropriate human resources.
Data breach
In the event of a personal data breach, we undertake to notify the CNIL under the conditions prescribed by the RGPD.
If the breach poses a high risk to customers, partners and prospects and the data has not been protected, we will notify the persons concerned and provide them with the necessary information and recommendations.
3. Contacts
Data protection officer / RGPD referent
We have appointed a data protection officer / RGPD referent whose contact details are as follows Mr Eric BARBRY, 40 rue de Courcelles 75008 PARIS, 0144824300.
In the event of new processing of personal data, we will first contact the data protection officer / RGPD referent.
If you wish to obtain specific information or ask a specific question, you may refer the matter to the Data Protection Officer / RGPD representative, who will give you an answer within a reasonable period of time with regard to the question asked or the information required.
In the event of a problem with the processing of your personal data, you may refer the matter to the Data Protection Officer / a designated RGPD contact person.
Right to lodge a complaint with the CNIL
Customers, partners and prospects concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the Cnil, if they consider that the processing of their personal data does not comply with the European data protection regulations, at the following address
Cnil - Service des plaintes
3 Place de Fontenoy- TSA 80715 - 75334 PARIS CEDEX 07
Tel: 01 53 73 22 22
Changes
This policy may be modified or amended at any time in the event of changes in legislation, case law, Cnil decisions and recommendations or practices.
Any new version of this policy will be brought to the attention of customers, prospects and partners by any means we define, including electronically (distribution by e-mail or online, for example).
For further information
For any further information, you can contact the DPO at the above address, in this case dpo-otlille@racine.eu.
For more general information on the protection of personal data, you can consult the Cnil website www.cnil.fr.