Data protection charter customers, prospects and partners 

Data protection charter customers, prospects and partners

1. General Provisions

Preamble

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on data protection (hereinafter referred to as the GDPR) sets the legal framework for the processing of personal data. This text strengthens the rights and obligations of data controllers, data processors, data subjects and data recipients.

Subsequently, and in order to implement the modifications of the GDPR, the law n°78-17 of 6 January 1978, known as "Informatique et libertés", was modified by the law n°2018-493 of 20 June 2018 by the ordinance n°2018-1125 of 12 December 2018 on data protection.

This charter is implemented by the Comité Régional de Tourisme de Nouvelle-Aquitaine (hereinafter referred to as "CRTNA"). Our association under the 1901 law contributes to the implementation of the tourism policy adopted by the Regional Council of New Aquitaine. Its main tasks are to observe and organise tourism and to promote the region at national and international level.
The CRTNA manages the regional tourist information systems (LEI and SIRTAQUI) with its partners in the departments (ADT / CDT / departmental councils). Together they contribute to the use of these tools within the regional network of tourist boards and also mobilise the heads of the sectors.

In the course of our activities, we process personal data relating to our partners, clients and interested parties. For a good understanding of the present Charter, it is established that

  • Partners mean any natural or legal person working in the tourism sector who is a member of our association and/or has relations with our organisation, such as tourism professionals in the region, project managers and internal and external investors, holiday agents, municipalities and their groups or institutional partners;

  • clients mean any natural or legal person who has concluded a contract of any kind with our organisation, specifying that it is intended for cooperation with tourism professionals or the general public;

  • prospects are defined as any potential customer or contact to whom our organisation sends promotional messages and whose data has been collected directly via contact forms, events or indirectly via any of our partners.

Purpose and Scope

This Personal Data Protection Charter is intended to be applied in the context of the implementation of the processing of personal data of our partners, customers and prospects.

In this respect, the purpose of this Charter is to fulfil our organisation’s obligation to inform and thus formalise the rights and obligations of our partners, customers and prospects with regard to the processing of their data.

This policy only covers processing for which we are responsible and data that is described as "structured".

The processing of personal data may be carried out directly by our organisation or by a subcontractor specifically appointed by it.

This policy is independent of any other documents that may apply as part of the contractual relationship between us and our partners, customers and prospects. We do not process data of our partners, customers and prospects unless it relates to personal data collected by or for our services or processed in connection with our services and it complies with the general principles of the GDPR.

Any new processing, modification or deletion of an existing processing shall be brought to the attention of partners, clients and prospects by means of an amendment to this Charter.

2. Partners’ Data

Types of Data Collected

Non-technical data (depending on the use case)

  • identity and identification (surname, first name, date of birth, username)
  • contact details (e-mail, postal address, telephone number)
  • professional life (position, job title, etc.)
  • bank details (RIB or IBAN)
  • health data if the guest, especially on an educational trip ("éductour"), needs to report it
    Technical data (according to use cases)
  • identification data (IP address)
  • connection data (logs, in particular tokens)
  • opt-in details (click)
  • location data

Origin of the Data

We collect data from our partners from:

  • information collected directly through partners;
  • electronic forms or forms filled in by partners;
  • information entered through an extranet accessible to partners;
  • Registrations or subscriptions to our online services (newsletter, social networks).

Purposes

Depending on the case, we process the data of our customers for the following purposes:

  • management of partner relations;
  • labelling of sites and facilities for the channels assigned by the organisation, in particular the Villes et Villages Fleuris;
  • tourism engineering operations (diagnoses and feasibility studies, assistance in setting up projects and applying for grants);
  • networking and consultancy operations for the various partners;
  • operations to support the marketing of partner service providers;
  • management of the events we organise (trade fairs, workshops, etc.);
  • training activities for the partner service providers;
  • research operations for the distributors;
  • statistical reporting.

Retention Periods

The retention period of our partners’ data is determined with regard to the legal and contractual constraints that weigh on us and, otherwise, according to our needs and, in particular, according to the following principles:

Processing &Retention period
Customer Data : For the duration of the contractual relationship, increased by 3 years for advertising and prospecting purposes, without prejudice to retention obligations or limitation periods
Technical data : 1 year from collection
Cookies : 13 months

After expiry of the periods, the data will either be deleted or retained after anonymisation, in particular for statistical purposes. They may be kept in case of preliminary proceedings and litigation.

Partners are reminded that deletion or anonymisation are irreversible operations that cannot be recovered by us.

Legal Basis

The processing operations we carry out under this Charter are all based on the performance of contractual or pre-contractual measures or on our mandate in the public interest.

2. Customer Data

Types of Data Collected

Non-technical data (depending on the use case)

  • Identity and identification (surname, first name, date of birth, pseudo, customer number)
  • contact details (e-mail, postal address, telephone number)
  • bank details (RIB or IBAN)
  • professional / personal matters when necessary
    Technical data (according to use cases)
  • identification data (IP address)
  • connection data (logs, in particular tokens)
  • opt-in details (click)
  • location data

Origin of the Data

We collect our customers’ data from:

  • data provided by the customer (paper form, order form, contract, business card);
  • electronic forms or forms filled in by the customer;
  • data entered online (website, social networks, etc.);
  • registration to events organised by us;
  • databases shared by several partners, fed and used by all these partners;
  • rental or acquisition of databases on an ad hoc basis;
  • mediation of contacts by specialised companies or partners of our organisation.

Purposes

Depending on the case, we process the data of our customers for the following purposes:

  • management of customer relations;
  • sale of tourist stays directly or through distributors;
  • management of events organised by us;
  • sending newsletters or information feeds;
  • management of customer accounts;
  • improvement of our services;
  • fulfilment of our administrative obligations;
  • community management;
  • statistical reporting.

Retention Periods

The retention period of our customers’ data is set according to the legal and contractual requirements and, if not, according to our needs and in particular according to the following principles:

Processing & Retention period
Customer Data : For the duration of the contractual relationship, increased by 3 years for advertising and prospecting purposes, without prejudice to retention obligations or limitation periods
Technical data : 1 year from collection
Cookies : 13 months

After expiry of the periods, the data will either be deleted or retained after anonymisation, in particular for statistical purposes. They may be kept in case of preliminary proceedings and litigation.

Customers are reminded that deletion or anonymisation are irreversible processes that we cannot subsequently recover.

Legal Basis

The processing operations we carry out under this Charter are all based on the performance of contractual or pre-contractual measures or, in some cases, on the customer’s consent (e.g.: sending of promotional messages).

4. Prospect Data

Types of Data Collected

Non-technical data (depending on the use case)

  • identity and identification (surname, first name, date of birth, username)
  • contact details (e-mail, postal address, telephone number)
    Technical data (according to use cases)
  • identification data (IP address)
  • connection data (logs, in particular tokens)
  • opt-in details (click)
  • location data

Origin of the Data

We collect the data of our prospects from :

  • data provided by the interested party (paper form, business card, ... );
  • forms or electronic forms filled in by the interested party;
  • data entered online (website, social networks, etc.);
  • registration or subscription to our online services (website, social networks);
  • registration to events organised by us;
  • databases shared by several partners, fed and used by all these partners;
  • lists provided by the organisers of events or conferences in which we participate;
  • rental of databases on an ad hoc basis ;
  • mediation of contacts by specialised companies or partners.

Purposes

Depending on the case, we process the data of our prospects for the following purposes:

  • management of the relationship with the interested parties;
  • management of the events we organise;
  • sending of our newsletters or newsfeeds;
  • animation of websites in collaboration with our partners;
  • operation to promote our organisation and tourism on our website, on social networks (Facebook, Twitter, YouTube, Instagram, ...);
  • behavioural analysis of the interested parties;
  • community management;
  • statistical reporting.

Retention Periods

The duration of the retention of our prospects’ data depends on the legal and contractual obligations incumbent on us, otherwise on our needs and in particular on the following principles:

Processing & Retention period
Customer Data : 3 years from the date of collection or last contact by the prospect
Technical data : 1 year from collection
Cookies : 13 months

After expiry of the periods, the data will either be deleted or retained after anonymisation, in particular for statistical purposes. They may be kept in case of preliminary proceedings and litigation.

Prospects are informed that deletion or anonymisation are irreversible operations that we cannot subsequently recover.

Legal Basis

The purposes of processing prospects outlined above are based on the following conditions of lawfulness:

  • carrying out pre-contractual measures;
  • legitimate interest of our organisation;
  • consent of the prospect if required by law (e.g. in case of sending promotional messages).

5. Recipients of Data

We ensure that data is only accessible to authorised internal or external recipients who are subject to a corresponding duty of confidentiality.
Internally, we use an authorisation policy to determine which recipient may have access to certain types of data.

All accesses concerning the processing of personal data of customers, partners and prospects are subject to a traceability measure.

In addition, personal data may be transferred to any authority that is legally entitled to obtain knowledge thereof. In this case, we are not responsible for the conditions under which the employees of these authorities have access to and use the data.

Internal recipients
Authorised personnel within our structure (persons in charge of marketing, customer relationship management, service providers and interested parties, administrative personnel, IT managers) and their hierarchical superiors.

External recipients

  • Tourist partners who access the shared file in which the data may appear;
  • Service providers or support services;
  • Authorised personnel of the services responsible for control (auditors, services responsible for internal control procedures, etc.);
  • Administration, judicial officers where applicable.

6. Rights of Individuals

Right of Access and Copying

Customers, partners and prospects traditionally have the right to request confirmation as to whether or not data concerning them are being processed.

They also have a right of access to their data, i.e. the right to obtain any information about the processing of their personal data.

In such a case, the partner, customer or interested party must formulate their request themselves and there must be no doubt about their identity. Otherwise, we reserve the right to request the transmission of all elements enabling his identification, such as, in particular, a copy of an identity document.

Partners, clients and prospects have the right to request a copy of the personal data processed about them. However, if an additional copy is requested, we may require partners, customers and prospects to bear the cost of this.

If partners, customers and prospects request a copy of the data electronically, the requested information will be provided in a commonly used electronic form, unless otherwise requested.

Partners, customers and prospects are advised that this right of access may not relate to confidential information or data or to information that may not be disclosed under the law.

The right of access may not be exercised improperly, i.e. regularly with the sole aim of destabilising the service in question.

Maintenance - Updating and Rectification

We fulfil requests for updates:

  • automatically in the event of online changes to fields that can be technically or legally updated;
  • at the written request of the person themselves, who must prove their identity.

Right to Erasure

The right to erasure of partners, clients and prospects does not apply if the processing is carried out in order to comply with a legal obligation. Apart from this situation, partners, customers and prospects may request the erasure of their data in the following limited circumstances:

  • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • if the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
  • the data subject objects to processing necessary for the purposes of our legitimate interests, unless we can demonstrate compelling legitimate grounds for the processing which override the interests of the data subject
  • the data subject objects to the processing of personal data for the purposes of such marketing, including profiling; or -
  • the personal data have been processed unlawfully.

Right to Restriction

Partners, customers and prospects are advised that this right shall not apply to the extent that the processing carried out by us is lawful and any personal data collected is necessary for the performance of the purposes of the processing.

Right to Data Portability

We grant the right to data portability in particular for data communicated by partners, customers and prospects themselves, for our online services and for purposes based solely on the consent of the data subjects and the performance of a contract. In this case, the data is provided to the applicant in a sructured, commonly used and machine-readable format.

Automated Individual Decision-making

We do not make automated individual decisions.

The tools offered on our website are merely tools for customers and prospects and should not be regarded as such.

Rights after Death

Partners, customers and prospects are informed that they have the right to formulate instructions regarding the retention, deletion and disclosure of their data after death.

Exercise of Rights

The interested party may choose to exercise the aforementioned rights by e-mail to the address dpo@na-tourisme.com or by post to the following address

CRT Nouvelle-Aquitaine
4 place Jean Jaurès
CS31759
33074 BORDEAUX Cedex

7. Additional Provisions

Optional or Mandatory Nature of Responses

Partners, clients and prospects are informed of the mandatory or optional nature of responses by the presence of an asterisk on each personal data collection form submitted to them. In cases where responses are mandatory, we will explain the consequences of not responding.

Right of Use

Our organisation is granted by its clients, prospects and partners a right to use and process their personal data for the above purposes.

However, the enriched data that is the result of our processing and analysis activities, so-called enriched data, remains our exclusive property (usage analyses, statistics, etc.).

Subcontracting

We inform you that we may engage a subcontractor of our choice to process your personal data. In this case, we will ensure that the subcontractor complies with its obligations under the GDPR.

We undertake to enter into a written contract with all our subcontractors and to impose the same data protection obligations on the subcontractors as we impose on ourselves. In addition, we reserve the right to audit our processors to ensure compliance with the GDPR.

Cross-border Data Flows

Our organisation reserves the sole right to decide whether or not to have cross-border data flows for the personal data it processes.

In the event of a transfer of personal data to a country outside the European Union or to an international organisation, we will inform you and ensure that your rights are protected. If necessary, we will enter into one or more contracts to regulate cross-border data flows.

The provisions relating to cross-border data flows are enforceable against us, except in the exceptional cases provided for in Article 49 of the GDPR.

ster of Processing

As a data controller, we undertake to keep an up-to-date register of all processing activities carried out.

This register is a document or application that allows us to identify all the processing activities that we carry out as a data controller.

We undertake to provide the supervisory authority, upon first request, with information enabling it to verify the compliance of the processing operations with the applicable data protection rules.

8. Security

Security Measures

It is our responsibility to define and implement the technical security measures, physical or logical, that we consider appropriate to address the destruction, loss, alteration or unauthorised disclosure of data accidentally or unlawfully.

To this end, we may engage the assistance of a third party of our choice to conduct vulnerability audits or penetration tests at such intervals as we deem necessary.

In any case, in the event of a change in the means of ensuring the security and confidentiality of personal data, we undertake to replace them with means of higher performance. No change can lead to a reduction in the level of security.

In the event that we subcontract all or part of the processing of personal data, we undertake to contractually impose security guarantees on our subcontractors through technical measures to protect such data and appropriate staffing.

Data Breach

In the event of a personal data breach, we undertake to notify the CNIL under the conditions prescribed by the GDPR.

If the said breach poses a high risk to partners, clients and prospects and the data has not been protected, we will notify the data subjects and provide them with the necessary information and recommendations.

9. Contacts

GDPR Officer

We have appointed a GDPR Officer whose contact details are as follows: dpo@na-tourisme.com.

In the event of any new processing of personal data, we will refer to the GDPR Officer beforehand.

If you wish to receive specific information or ask a specific question, you may contact the GDPR Officer who will provide you with a response to the question or information requested within a reasonable timeframe.

In the event of a problem with the processing of your personal data, you may contact the designated GDPR contact person.

Right to Complain to the Cnil

Partners, clients and prospective clients affected by the processing of their personal data are informed of their right to complain to a supervisory authority, i.e. the Cnil, if they consider that the processing of their personal data does not comply with European data protection legislation, at the following address

Cnil - Service des plaintes
3 Place de Fontenoy- TSA 80715 - 75334 PARIS CEDEX 07
Tel : 01 53 73 22 22

Evolution

This Charter may be modified or amended at any time in the event of changes in legislation, case law, Cnil decisions and recommendations or practice.

Any new version of this Charter will be brought to the attention of clients, prospects and partners by any means we determine, including by electronic means (e.g. distribution by email or online).

Further Information

For further information, you can contact the GDPR contact person at the above address, i.e. dpo@na-tourisme.com.

For more general information on the protection of personal data, you can visit the Cnil website www.cnil.fr).