1. Home
  2. Privacy policy

Privacy policy

Customer, prospect and partner data protection policy

1. general provisions

Preamble

Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of personal data (hereinafter “RGPD”), sets the legal framework applicable to the processing of personal data. This text strengthens the rights and obligations of data controllers, processors, data subjects and data recipients. Subsequently, and in order to implement the changes made by the RGPD, the French Data Protection Act no. 78-17 of January 6, 1978 was amended by Act no. 2018-493 of June 20, 2018 and Order no. 2018-1125 of December 12, 2018. This policy is implemented by the Office de Tourisme Beaune & Pays Beaunois (hereinafter referred to as “the organization”), whose main activities includes the development of the tourist offer, the promotion of tourist destinations and the marketing of the tourist offer of the territory of the Commune of Beaune. As part of our activities, we process personal data relating to our customers, partners and prospects. For a better understanding of the present policy, it is specified that :

  • Customers are understood to be all individuals or legal entities who have entered into a contract of any kind with our organization, it being specified that the latter’s vocation is to work with the general public;
  • Partners are defined as all individuals or legal entities working in the tourism sector and maintaining relations with our organization, such as local tourism professionals, holiday distributors, local authorities and their associations, or institutional partners;
  • Prospects are understood to be any potential customer or any contact recipient of promotional messages from our organization, whose data has been collected directly via contact forms, events or indirectly via any of our organization’s partners.

Purpose and scope

This personal data protection policy is intended to apply to the processing of the personal data of our customers, partners and prospects. As such, the purpose of this policy is to satisfy our organization’s obligation to provide information, and thus to formalize the rights that customers, partners and prospects have with regard to the processing of their data. This policy applies only to data processing for which we are responsible, and to “structured” data. The processing of personal data may be managed directly by our organization or through a subcontractor specifically appointed by it. This policy is independent of any other document that may apply within the contractual relationship between us and our customers or partners. We do not implement any processing of the data of our customers, partners and prospects if it does not relate to personal data collected by or for our services or processed in connection with our services and if it does not comply with the general principles of the GDPR. Any new processing, modification or deletion of existing processing will be brought to the attention of customers, partners and prospects by means of an amendment to this policy.

2 Customer data

Types of data collected

Non-technical data (depending on use)

  • Identity and identification (marital status, surname, first name)
  • Contact details (e-mail, postal address, telephone number)
  • Professional/personal life where necessary
  • Transaction data (amount and date of transactions)

Technical data (depending on use)

  • Connection data (IP address, logs)
  • Browsing data (cookies, tracers, clicks)

Data origin

We collect customer data from :

  • Data supplied by the customer (paper form, order form, contract, business card);
  • Electronic forms filled in by the customer;
  • Data entered online (website, social networks);
  • Registration for events we organize;
  • Databases shared by several partners, fed and used by all these partners;
  • Exceptional rental or acquisition of databases;
  • Communication of contacts via specialized companies or partners of our organization.

Purposes and legal basis

We process customer data for the following purposes and on the following legal bases:

  • Customer relationship management (execution of pre-contractual or contractual measures);
  • Sale of tourist holidays directly or via distribution partners (execution of pre-contractual or contractual measures);
  • Management of events we organize (legitimate interest of our organization to promote our activity);
  • Sending newsletters or news feeds (legitimate interest of our organization to promote its activity);
  • Improvement of our services (legitimate interest of our organization to improve its services);
  • Meeting our administrative obligations (legal obligation);
  • Animation of social networks (legitimate interest of our organization to promote our activity);
  • Statistics (legitimate interest of our organization to analyze customer activity).

Retention periods

The length of time we retain customer data is defined in the light of the legal and contractual constraints imposed on us and, failing that, according to our needs, and in particular in accordance with the following principles: Processing and retention period

  • Customer contracts
    • 5 years from the end of the contractual relationship.
    • 10 years for contracts over 120 euros concluded electronically.
  • Commercial correspondence (purchase orders, delivery notes, invoices, etc.)
    • 10 years from the end of the financial year.
  • Data processed for prospecting purposes
    • 3 years from the end of the commercial relationship (from the end of a contract) or from the last contact from the customer (request for documentation, click on a link in an e-mail, etc.).
  • Banking data
    • Deleted as soon as the transaction is completed, except with the customer’s express consent.
    • If the transaction is contested: stored for 13 months following the debit date.

After this period, data is either deleted or kept after being anonymized, notably for statistical purposes. Data may be kept for pre-litigation and litigation purposes. Customers are reminded that the deletion or anonymization of data is irreversible, and that we are not subsequently able to restore it.

3 Partner data

Types of data collected

Non-technical data (depending on use)

  • Identity and identification (marital status, surname, first name)
  • Contact details (e-mail, postal address, telephone number)
  • Professional life where necessary
  • Transaction data (amount and date of transactions)

Technical data (depending on use)

  • Connection data (IP address, logs)
  • Browsing data (cookies, tracers, clicks)

Data origin

We collect data from our partners using :

  • Information collected directly by our partners;
  • Electronic forms filled in by partners;
  • Subscriptions to our online services (newsletter, social networks).

Purposes and legal basis

Depending on the case, we process our partners’ data for the following purposes and legal bases:

  • Management of partner relations (execution of pre-contractual or contractual measures);
  • Sending newsletters or news feeds (legitimate interest of our organization to promote its activity);
  • Management of events we organize (trade shows, workshops, etc.) (legitimate interest of our organization in promoting its business);
  • Training operations for partner service providers (execution of pre-contractual or contractual measures);
  • Distributor partner search operations (legitimate interest of our organization in developing its distributor partner network);
  • Statistics (legitimate interest of our organization to analyze the activity of its partners).

Retention periods

The length of time we retain our partners’ data is defined in the light of the legal and contractual constraints imposed on us and, failing that, according to our needs, and in particular in accordance with the following principles: Processing and Retention period

  • Contracts concluded with partners
    • 5 years from date of conclusion.
    • 10 years for contracts over 120 euros concluded electronically.
  • Commercial correspondence (purchase orders, delivery notes, invoices, etc.)
    • 10 years from the end of the financial year.
  • Data processed for prospecting purposes
    • 3 years from the end of the commercial relationship (from the end of a contract) or from the last contact from the partner (request for documentation, click on a link in an e-mail, etc.).
  • Bank details
    • Deleted as soon as the transaction is completed, except with the partner’s express agreement.
    • If the transaction is contested: stored for 13 months following the debit date.

After this period, data is either deleted or kept after being anonymized, notably for statistical purposes. Data may be kept for pre-litigation and litigation purposes. Partners are reminded that the deletion or anonymization of data is an irreversible operation, and that we are subsequently unable to restore it.

4 – Prospect data

Types of data collected

Non-technical data (depending on use)

  • Identity and identification (marital status, surname, first name)
  • Contact details (e-mail, postal address, telephone number)
  • Professional/personal life where necessary

Technical data (depending on use)

  • Connection data (IP address, logs)
  • Browsing data (cookies, tracers, clicks)

Data origin

We collect our prospects’ data from :

  • Data supplied by the prospect (paper form, business card, etc.) ;
  • Electronic forms filled in by the prospect;
  • Data entered online (website, social networks, etc.);
  • Registration or subscription to our online services (website, social networks);
  • Registration for events we organize;
  • Databases shared by several partners, fed and used by all these partners;
  • List provided by the organizers of events or conferences in which we participate;
  • Exceptional rental of databases;
  • Communication of contacts via specialized companies or partners.

Purposes and legal basis

Depending on the case, we process our prospects’ data for the following purposes and legal bases:

  • Management of the prospect relationship (legitimate interest of our organization to promote its activity);
  • Management of the events we organize (legitimate interest of our organization to promote its activity);
  • Sending our newsletters or news feeds (consent);
  • Animation of websites with our partners (legitimate interest of our organization to promote its activity);
  • Promotion of our organization and tourism on social networks (e.g. Facebook, X, YouTube, Instagram, LinkedIn) (legitimate interest of our organization to promote its activity);
  • Behavioral analysis of prospects (legitimate interest of our organization to analyze the activity of its prospects);
  • Statistics (legitimate interest of our organization to analyze the activity of its prospects).

Retention periods

The length of time we keep our prospects’ data is defined in the light of our legal and contractual obligations and, failing that, according to our needs, and in particular in accordance with the following principles: Processing and retention period

  • Data processed for prospecting purposes
    • 3 years from the date of collection or from the last contact from the prospect (request for documentation, click on a link in an e-mail, etc.).

After this period, data is either deleted or kept after being anonymized, notably for statistical purposes. Data may be kept for pre-litigation and litigation purposes. Prospects are reminded that the deletion or anonymization of data is irreversible, and that we are not subsequently able to restore it.

5 Recipients of data

We ensure that data is only accessible to authorized internal or external recipients who are subject to an appropriate obligation of confidentiality. Internally, we decide which recipients will have access to which data according to an authorization policy. In addition, personal data may be communicated to any authority legally empowered to deal with it. In this case, we are not responsible for the conditions under which the staff of these authorities have access to and use the data.

  • Internal recipients Authorized personnel within our structure (personnel in charge of reception, marketing, customer relationship management, service providers and prospects, administrative personnel) and their line managers.
  • External recipients
    • Tourist partners who access the shared file in which data may appear;
    • Service providers or support services;
    • Authorized staff of auditing departments (Treasury, auditors, departments responsible for internal audit procedures, etc.);
    • Administration, legal auxiliaries where applicable.

6 Personal rights

Right of access and copy

Customers, partners and prospects have the right to request confirmation as to whether or not data concerning them is being processed. They also have a right of access to their data, i.e. the right to obtain communication of all information relating to the processing of their personal data. In such a case, the customer, partner or prospect must formulate his or her request himself or herself, and there must be no doubt as to his or her identity. Failing this, we reserve the right to ask for any information that would enable them to be identified, such as a copy of an identity document. Customers, partners and prospects have the right to request a copy of their personal data being processed. However, in the event of a request for an additional copy, we may require customers, partners and prospects to bear the cost. If customers, partners and prospects submit their request for a copy of the data electronically, the information requested will be provided in a commonly used electronic form, unless otherwise requested. Customers, partners and prospective customers are hereby informed that this right of access may not relate to confidential information or data, or data for which communication is not permitted by law. The right of access must not be exercised in an abusive manner, i.e. on a regular basis with the sole aim of destabilizing the service concerned.

Updating and rectification

We comply with requests to update information upon written request from the person concerned.

Right to erasure

The right to erasure of customers, partners and prospects will not apply in cases where processing is carried out to meet a legal obligation. Apart from this situation, customers, partners and prospects may request the deletion of their data in the following limited cases:

  • personal data is no longer required for the purposes for which it was collected or otherwise processed;
  • when the data subject withdraws the consent on which the processing is based, and there is no other legal basis for the processing;
  • the data subject objects to processing that is necessary for the purposes of our legitimate interests and there is no compelling legitimate reason for the processing;
  • the data subject objects to the processing of his/her personal data for canvassing purposes, including profiling;
  • the personal data has been processed unlawfully.

Right to restriction

Customers, partners and prospects are hereby informed that this right applies only in the following cases:

  • the accuracy of the personal data is contested by the data subject, for a period allowing us to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject objects to the erasure of his or her personal data, demanding instead that their use be restricted;
  • we no longer need the personal data for the purposes of processing, but it is still necessary for the data subject to establish, exercise or defend legal claims;
  • the data subject has objected to the data being processed, pending verification of whether the legitimate grounds pursued by the controller override those of the data subject.

Right to portability

We grant requests for data portability in the specific case of data communicated by customers, partners and prospects themselves, on our online services and for purposes based solely on the consent of the individuals and performance of a contract. In this case, the data is communicated to the requester in a structured, commonly used and machine-readable format.

Right to object

Customers, partners and prospects have the right to object at any time, for reasons relating to their particular situation, to the processing of their personal data based on our legitimate interests. We will no longer process personal data unless it can be shown that there are compelling legitimate grounds for the processing which override the interests and rights of our customers.rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims.

Right to withdraw consent

Customers, partners and prospects have the right to withdraw their consent at any time when processing is based on consent.

Automated individual decision-making

We do not make any automated individual decisions.

Post-mortem rights

Customers, partners and prospects are informed that they have the right to formulate directives concerning the conservation, deletion and communication of their post-mortem data.

Exercise of rights

The above-mentioned rights may be exercised, at the option of the person concerned, by e-mail or by post to the following address: 2, rue de la Colombière – 21200 Beaune; [email protected].

7 Additional provisions

Optional or compulsory responses

Customers, partners and prospects are informed of the compulsory or optional nature of their responses by the presence of an asterisk on each personal data collection form submitted to them. Where answers are mandatory, we explain the consequences of not answering.

Right of use

Our customers, prospects and partners grant us the right to use and process their personal data for the purposes set out above. However, enhanced data resulting from processing and analysis on our part remains our exclusive property (usage analysis, statistics, etc.).

Subcontracting

We inform you that we may involve any subcontractor of our choice in the processing of your personal data. In this case, we ensure that the subcontractor complies with its obligations under the RGPD. We undertake to sign a written contract with all our subcontractors and impose the same data protection obligations on subcontractors as on ourselves. You can obtain a copy of these guarantees by writing to the email address [email protected]. In addition, we reserve the right to audit our subcontractors to ensure compliance with the provisions of the RGPD.

Cross-border flows

Our organization alone reserves the choice of whether or not to have transborder flows for the personal data it processes. In the event of transferring personal data to a country outside the European Union or to an international organization, we will ensure that your rights are properly respected. If necessary, we will sign one or more contracts to govern cross-border data flows. You can obtain a copy of these guarantees by writing to [email protected].

Data processing register

As data controller, we undertake to keep an up-to-date register of all processing activities carried out. This register is a document or application that lists all the processing operations that we carry out as data controller. We undertake to provide the supervisory authority, on first request, with information enabling the said authority to verify the compliance of processing with the regulations in force.

8. security

Security measures

We are responsible for defining and implementing the technical, physical or logical security measures we deem appropriate to prevent the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of data. To this end, we may engage the assistance of any third party of our choice to carry out vulnerability audits or penetration tests, at such intervals as we deem necessary. In any event, we undertake, in the event of a change in the means used to ensure the security and confidentiality of personal data, to replace them with means of superior performance. No change may lead to a reduction in the level of security. In the event of subcontracting all or part of the processing of personal data, we undertake to contractually impose security guarantees on our subcontractors, by means of technical data protection measures and appropriate human resources.

Data breaches

In the event of a personal data breach, we undertake to notify the CNIL under the conditions prescribed by the RGPD. If the said breach poses a high risk to customers, partners and prospects, we will notify the persons concerned and provide them with the necessary information and recommendations.

9 Contacts

We have appointed a data protection delegate whose contact details are as follows: [email protected]. In the event of any new processing of personal data, we will inform the Data Protection Officer in advance. If you wish to obtain information or ask a specific question, you can contact the Data Protection Officer, who will give you a reply within a reasonable period of time in relation to the information required or the question asked.

Right to lodge a complaint with the CNIL

Customers, partners and prospective customers concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the CNIL, if they wish. CNIL, if they consider that the processing of their personal data does not comply with European data protection regulations, at the following address:

CNIL – Service des plaintes

3 Place de Fontenoy- TSA 80715 – 75334 PARIS CEDEX 07

Tel: 01 53 73 22 22

Changes

The present policy may be modified or amended at any time in response to changes in legislation, case law, CNIL decisions and recommendations, or usage. Any new version of the present policy will be brought to the attention of customers, prospects and partners by any means we define, including by electronic means (distribution by e-mail or online, for example). For further information For more general information on the protection of personal data, please consult the CNIL website www.cnil.fr.

Close