PRIVACY POLICY

1. General provisions

​

Preamble

Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on data protection (hereinafter GDPR), sets the legal framework applicable to the processing of personal data. This text reinforces the rights and obligations of data controllers, subcontractors, data subjects and data recipients.

Subsequently, and to implement the modifications of the RGPD, the law n ° 78-17 of January 6, 1978 known as Data processing and freedoms was the subject of a modification by the law n ° 2018-493 of June 20, 2018 and by Ordinance No. 2018-1125 of December 12, 2018 relating to data protection.

This policy is implemented by the Brittany Regional Tourism Committee (hereinafter referred to as "the body"), whose main activities are the development of the tourist offer, the promotion of tourist destinations and the marketing of the tourism offer in Brittany.

As part of our activity, we implement personal data processing relating to the data of our customers, partners and prospects. For a good understanding of this policy, it is specified that:

• customers are understood as all natural or legal persons engaged under a contract of any kind whatsoever with our organization, it being specified that it is intended to work with professional customers of tourism or the general public;

• partners are understood as all natural or legal persons involved in the tourism sector and maintaining relations with our organization as such, such as in particular tourism professionals from the department, project leaders and internal and external investors, holiday distributors, communities territorial organizations and their groups or even institutional partners;

• prospects are understood as any potential customer or any contact recipient of promotional messages from our organization whose data has been collected directly via contact forms, events or indirectly via any partner of the organization.

Purpose and scope

This personal data protection policy is intended to apply in the context of the implementation of the processing of the personal data of our customers, partners and prospects.

As such, the purpose of this policy is to satisfy our organization's obligation to inform and thus to formalize the rights and obligations of customers, partners and prospects with regard to the processing of their data.

This policy only covers the processing for which we are responsible as well as data qualified as “structured”.

The processing of personal data can be managed directly by our organization or through a subcontractor specifically appointed by it.

This policy is independent of any other document that may apply within the contractual relationship that binds us to our customers, partners and prospects. We do not implement any processing of the data of our customers, partners and prospects if it does not relate to personal data collected by or for our services or processed in connection with our services and if it does not meet the principles GDPR Generals.

Any new processing, modification or deletion of an existing processing will be brought to the attention of customers, partners and prospects through a modification of this policy.

​

2. Customer data

​

Types of data collected

Non-technical data

(depending on the use case)

– identity and identification (surname, first name, date of birth)

– contact details (email, postal address, telephone number)

– professional life / personal life when necessary

– bank details (RIB)

Technical data

(depending on the use case)

– identification data (IP address)

– connection data (logs, token in particular)

– acceptance data (click)

– location data

Origin of data

We collect customer data from:

• data provided by the customer (paper form, order form, contract, business card);

• electronic sheets or forms completed by the customer;

• data entered online (website, social networks, etc.);

• registration for events organized by us;

• databases shared between several partners, fed and operated by all of these partners;

• communication of contacts through specialized companies or partners of our organization.

Purposes

Depending on the case, we process our customers' data for the following purposes:

• customer relationship management ;

• sale of tourist stays, services or products directly or via distribution partners;

• management of the organized events that we organise;

• commercial prospecting actions;

• sending newsletters or information/news feeds;

• organization of competitions;

• management of customer accounts;

• improvement of our services;

• response to our administrative obligations;

• community management;

• carrying out satisfaction surveys;

• production of statistics.

Storage periods

The retention period for our customers' data is defined with regard to the legal and contractual constraints that weigh on us and, failing that, according to our needs and in particular according to the following principles:

TreatmentStorage period

Data relating to customersFor the duration of the contractual relationship, increased by 3 years for the purposes of animation and prospecting, without prejudice to retention obligations or limitation periods

Technical data1 year from collection

CookiesSee the cookie policy

After the fixed deadlines, the data is either deleted or kept after having been anonymized, in particular for reasons of statistical use. They can be kept in the event of pre-litigation and litigation.

Customers are reminded that deletion or anonymization are irreversible operations and we are no longer, thereafter, able to restore them.

Legal basis

The processing that we implement under this policy is all legally based on the implementation of contractual or pre-contractual measures or, in certain cases, the customer's consent (e.g. sending commercial prospecting messages).

​

3. Partner data

​

Types of data collected

Non-technical data

(depending on the use case)

– identity and identification (surname, first name)

– contact details (e-mail, postal address, telephone number)

– professional life (function, job title, etc.)

– bank details (RIB)

Technical data

(depending on the use case)

– identification data (IP address)

– connection data (logs, token in particular)

– acceptance data (click)

– location data

Origin of data

We collect data from our partners from:

• information collected directly via partners, in particular via shared databases;

• forms or electronic forms completed by partners;

• registrations or subscriptions to our online services (newsletter, social networks).

Purposes

Depending on the case, we process our customers' data for the following purposes:

• partner relationship management;

• labeling of sites and equipment for the sectors entrusted by the organization;

• tourism engineering operations (diagnostics and feasibility studies, support for setting up projects and grant application files);

• sending newsletters or information/news feeds;

• networking and consultation operations between the various partners;

• marketing support operations for partner service providers;

• management of the events we organize (fairs, workshops, webinars, etc.);

• search operations for distributor partners;

• production of statistics.

Storage periods

The retention period for the data of our partners is defined with regard to the legal and contractual constraints that weigh on us and, failing that, according to our needs and in particular according to the following principles:

TreatmentStorage period

Customer dataDuring the duration of the contractual relationship, increased by 3 years for the purpose of monitoring the relationship, without prejudice to retention obligations or limitation periods

Technical data1 year from collection

CookiesSee the cookie policy

After the fixed deadlines, the data is either deleted or kept after having been anonymized, in particular for reasons of statistical use. They can be kept in the event of pre-litigation and litigation.

Partners are reminded that deletion or anonymization are irreversible operations and that we are no longer, thereafter, able to restore them.

Legal basis

The processing that we implement under this policy is all legally based on the implementation of contractual or pre-contractual measures.

​

4. Prospect data

​

Types of data collected

Non-technical data

(depending on the use case)

– identity and identification (surname, first name, date of birth)

– contact details (e-mail, postal address, telephone number)

– professional life (function, job title, etc.) and personal life

Technical data

(depending on the use case)

– identification data (IP address)

– connection data (logs, token in particular)

– acceptance data (click)

– location data

Origin of data

We collect our prospect data from:

• data provided by the prospect (paper form, business card, etc.);

• electronic sheets or forms completed by the prospect;

• data entered online (website, social networks, etc.);

• registration or subscription to our online services (website, social networks);

• registration for events organized by us;

• databases shared between several partners, fed and operated by all of these partners;

• list communicated by the organizers of events or conferences in which we participate;

• communication of contacts through specialized companies or partners.

Purposes

Depending on the case, we process the data of our prospects for the following purposes:

• prospect relationship management;

• management of the events that we organise;

• commercial prospecting actions;

• organization of competitions:

• sending our newsletters or information feeds;

• animation of websites in partnership with our partners;

• promotion of our organization and tourism in Brittany on social networks (Facebook, Twitter, YouTube, Instagram, etc.);

• behavioral analysis of prospects;

• satisfaction survey ;

• community management;

• production of statistics.

Storage periods

The retention period for the data of our prospects is defined with regard to the legal and contractual constraints that weigh on us and, failing that, according to our needs and in particular according to the following principles:

TreatmentStorage period

Customer data For 3 years from their collection or the last contact from the prospect

Technical data1 year from collection

CookiesSee the cookie policy

After the fixed deadlines, the data is either deleted or kept after having been anonymized, in particular for reasons of statistical use. They can be kept in the event of pre-litigation and litigation.

Prospects are reminded that deletion or anonymization are irreversible operations and that we are no longer, thereafter, able to restore them.

Legal basis

The purposes of processing prospects presented above are based on the following conditions of lawfulness:

• execution of pre-contractual measures;

• legitimate interest of our organisation;

• consent of the prospect when the law requires it (example with regard to the sending of commercial prospecting messages).

• ​

5. Data recipients

​

We ensure that the data is only accessible to authorized internal or external recipients and subject to an appropriate obligation of confidentiality.

Internally, we decide which recipient will have access to which data according to an authorization policy.

All access concerning processing relating to the personal data of customers, partners and prospects is subject to a traceability measure.

In addition, personal data may be communicated to any authority legally authorized to know it. In this case, we are not responsible for the conditions under which the personnel of these authorities have access to and use the data.

Internal recipientsExternal recipients

Authorized staff within our structure (staff in charge of marketing, customer relationship management/quality service, service provider and prospect, administrative staff, accounting department, staff in charge of IT) and their line managers.– Tourist partners who access the shared file in which the data is likely to appear;

– Service providers or support services;

– Authorized staff of the departments responsible for control (auditor, departments responsible for internal control procedures, etc.);

– Banking institutions;

– Administration, auxiliary of justice if necessary.

​

6. Personal rights

​

Right of access and copy

Customers, partners and prospects traditionally have the right to request confirmation that data concerning them is or is not being processed.

They also have a right to access their data, i.e. the right to obtain communication of all information relating to the processing of their personal data.

In such a case, the customer, partner or prospect must formulate his request himself and there must be no doubt as to his identity. Failing this, we reserve the right to request the communication of any element allowing its identification, such as in particular the copy of an identity document.

Customers, partners and prospects have the right to request a copy of their personal data being processed. However, in the event of a request for an additional copy, we may require the financial support of this cost by customers, partners and prospects.

If customers, partners and prospects submit their request for a copy of the data electronically, the information requested will be provided to them in a commonly used electronic form, unless otherwise requested.

Customers, partners and prospects are informed that this right of access cannot relate to confidential information or data or for which the law does not authorize communication.

The right of access must not be exercised abusively, that is to say carried out on a regular basis for the sole purpose of destabilizing the service concerned.

Updating – updating and rectification

We respond to update requests:

• automatically for online changes to fields that technically or legally can be updated;

• on written request from the person himself who must prove his identity.

Right to erasure

The right to erasure of customers, partners and prospects will not be applicable in cases where the processing is implemented to meet a legal obligation. Apart from this situation, customers, partners and prospects may request the erasure of their data in the following limited cases:

• the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;

• when the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;

• the data subject objects to processing necessary for the purposes of the legitimate interests pursued by us and there are no overriding legitimate grounds for the processing;

• the data subject opposes the processing of their personal data for prospecting purposes, including profiling;

• the personal data has been unlawfully processed.

Right to limitation

Customers, partners and prospects are informed that this right is not intended to apply insofar as the processing that we implement is lawful and that all the personal data collected is necessary for the implementation of the purposes of processing them.

Right to portability

We grant requests for data portability in the particular case of data communicated by customers, partners and prospects themselves, on our online services and for purposes based solely on the consent of individuals and performance of a contract. In this case, the data is communicated to the applicant in a structured, commonly used and machine-readable format.

Automated individual decision

We do not make any automated individual decisions.

The tools offered on our website are only help tools for customers and prospects and cannot be considered otherwise.

Post-mortem law

Customers, partners and prospects are informed that they have the right to formulate directives concerning the storage, erasure and communication of their post-mortem data.

Exercise of rights

The exercise of the aforementioned rights is carried out, at the choice of the interested party, by e-mail or by post to the following coordinates: dpo@tourismebretagne.com .

​

7. Additional provisions

​

Optional or mandatory nature of answers

Customers, partners and prospects are informed of the mandatory or optional nature of the answers by the presence of an asterisk on each personal data collection form submitted to them. In the case where answers are mandatory, we explain to them the consequences of a lack of answer.

Right of use

Our organization is granted by its customers, prospects and partners a right to use and process their personal data for the purposes set out above.

However, the enriched data which is the result of processing and analysis work on our part, otherwise known as enriched data, remains our exclusive property (usage analysis, statistics, etc.).

Subcontracting

We inform you that we may involve any subcontractor of our choice in the processing of your personal data. In this case, we ensure that the subcontractor complies with its obligations under the GDPR.

We are committed to signing a written contract with all our subcontractors and imposes on the subcontractors the same obligations in terms of data protection as itself. In addition, we reserve the right to carry out an audit with our subcontractors in order to ensure compliance with the provisions of the GDPR.

Cross-border flows

Our organization alone reserves the choice of whether or not to have cross-border flows for the personal data it processes.

In the event of transfer of personal data to a country outside the European Union or to an international organization, we will inform you and ensure that your rights are respected. We undertake, if necessary, to sign one or more contracts to regulate cross-border data flows.

The provisions relating to cross-border flows are binding on us, except in the exceptional cases provided for in Article 49 of the GDPR.

Processing register

As a controller, we undertake to maintain an up-to-date record of all processing activities carried out.

This register is a document or application making it possible to identify all the processing that we implement as the controller.

We undertake to provide the supervisory authority, on first request, with the information enabling the said authority to verify the compliance of the processing with the data protection regulations in force.

​

8. Security

​

Security measures

It is our responsibility to define and implement the technical security measures, physical or logical, that we consider appropriate to fight against the destruction, loss, alteration or unauthorized disclosure of data in an accidental or unlawful manner.

To do this, we can be assisted by any third party of our choice to carry out, at the frequencies that we deem necessary, vulnerability audits or intrusion tests.

In any case, we undertake, in the event of a change in the means aimed at ensuring the security and confidentiality of personal data, to replace them with means of superior performance. No change can lead to a regression in the level of security.

In the event of subcontracting of part or all of the processing of personal data, we undertake to contractually impose security guarantees on our subcontractors by means of technical measures for the protection of this data. and the appropriate human resources.

Data Breach

In the event of a personal data breach, we undertake to notify the Cnil under the conditions prescribed by the GDPR.

If said violation poses a high risk to customers, partners and prospects and the data has not been protected, we will notify the persons concerned and provide them with the necessary information and recommendations.

​

9.Contacts

​

Data Protection Officer

We have appointed a data protection officer whose contact details are as follows: Me Eric Barby, Racine law firm, 40 rue de Courcelles, 75008 Paris, dpo@tourismebretagne.com .

In the event of new processing of personal data, we will contact the data protection officer beforehand.

If you wish to obtain specific information or ask a specific question, you can contact the data protection officer who will give you an answer within a reasonable time with regard to the question asked or the information required.

In the event of a problem encountered with the processing of your personal data, you can contact the designated data protection officer.

Right to lodge a complaint with the CNIL

Customers, partners and prospects concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the Cnil, if they consider that the processing of personal data personal data concerning them does not comply with European data protection regulations, at the following address:

Cnil – Complaints department

3 Place de Fontenoy - TSA 80715 – 75334 PARIS CEDEX 07

Tel: 01 53 73 22 22

Evolution

This policy may be modified or amended at any time in the event of legal or jurisprudential developments, decisions and recommendations of the Cnil or practices.

Any new version of this policy will be brought to the attention of customers, prospects and partners by any means that we define, including electronically (dissemination by e-mail or online for example).

For more information

For any additional information, you can contact the DPO at the above address, in this case dpo@tourismebretagne.com

For any other more general information on the protection of personal data, you can consult the CNIL website. www.cnil.fr.