NaturOparc

Alsace Destination Tourisme data protection policy for customers, partners and prospective customers

1. General provisions

Background

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data (hereafter GDPR) sets out the legal framework for the processing of personal data. This text reinforces the rights and obligations of controllers, processors, data subjects and recipients.

Following the passage of this regulation, and to implement the changes brought in by the GDPR, French law no. 78-17 of 6 January 1978, known as the “data freedoms” law, was amended by law no. 2018-493 of 20 June 2018 and by order no. 2018-1125 of 12 December 2018 on data protection.

This is the policy operated by Alsace Destination Tourisme (hereafter “the organisation”), whose main activities are to support local bodies and through them develop provisions for tourism and tourist services; to market products and services for tourists through Destination Alsace and to promote and communicate on behalf of tourist destinations, principally working through the “Visit Alsace”, “Alsace à Vélo”, “Alsace Terre de Châteaux forts”, “Les coups de cœur de Liesel” and “Massif des Vosges” brands.

In the course of our operations, we process personal data belonging to our customers, partners and prospective customers. The following definitions are provided to assist in the comprehension of this policy:

  • a customer is understood to mean any individual or legal entity who has entered into a contract of any type whatsoever with our organisation, which exists to work with both trade customers and the general public,
  • a partner is understood to mean any individual or legal entity operating in the tourism sector and working as a consequence of this with our organisation, such as local tourism professionals, internal and external project leaders and investors, organisations selling travel services, local authorities and related groupings and institutional partners,
  • a prospective customer is understood to mean any potential customer or any contact receiving promotional information from our organisation whose data has been collected directly via the contact form or at an event, or indirectly via any partner of the organisation.

Object and scope

This data protection policy will apply to the processing carried out on the personal data of our customers, partners and prospective customers.

Consequently, the object of the policy is to fulfil our organisation’s duty to provide information, and in doing so to formally set out the rights and obligations of our customers, partners and prospective customers as regards the processing of their data.

This policy only covers the processing for which we are responsible, and only covers data which is classified as “structured”.

The processing of personal data may be managed directly by our organisation or via a processor that we specifically designate.

This policy stands independently of any other document that may apply within the contractual relationship that we have with our customers, partners and prospective customers.

We will not undertake any processing of our customers’, partners’ or prospective customers’ data if it is not carried out on personal data collected by or for our organisation or processed in conjunction with our organisation, and if it does not comply with the general principles of the GDPR.

We will make our customers, partners and prospective customers aware of any new processing, change to processing or cessation of existing processing by amending this policy.

2. Customer data

Types of data collected

Non-technical data (as required by the usage)

  • identity and identification (family name, given name, date of birth, pseudonym and customer number)
  • contact details (email, postal address and telephone number)
  • professional details/personal details where necessary

Technical data (as required by the usage)

  • identification data (IP address)
  • access data (in particular logs and tokens)
  • acceptance data (clicks)
  • location data

Origin of data

We collect our customers’ data from:

  • data provided by the customer (paper form, order form, contract or business card),
  • electronic records or forms completed by the customer,
  • data provided online (website, social media, etc.),
  • registration for events that we organise,
  • databases shared between several partners, populated and used by all these partners,
  • on rare occasions, databases we rent or purchase,
  • contact details provided by specialist companies or partners of our organisation.

Purposes

As appropriate to the situation, we process our customers’ data for the following purposes:

  • managing customer relationships,
  • selling breaks directly or via partner distributors,
  • managing events that we organise,
  • sending out newsletters or information feeds,
  • managing customer accounts,
  • improving our services,
  • fulfilling our administrative obligations,
  • managing communities,
  • producing statistics.

Retention periods

The retention period for our customers’ data is defined in accordance with the legal and contractual constraints by which we are bound and, in the absence of these, according to our needs, based among others on the following principles:

Customer data : For the duration of the contractual relationship, and then for an additional three years afterwards for community management and sales development purposes, without prejudice to retention obligations or limitation periods.

Technical data : 1 year from the collection date

Cookies : 13 months

Once the periods set have expired, data is either deleted, or anonymised and then retained, in particular for statistical purposes. It can also be retained if a dispute is foreseen or in progress.

Customers are reminded that deleting and anonymising data are irreversible operations. Once they have been completed, the data cannot be restored.

Lawful basis

All the processing operations that we carry out under this policy have as a lawful basis the performance of a contract, including entering into the contract, or, in certain cases, customer consent (e.g. to send direct marketing messages).

3. Partner data

Types of data collected

Non-technical data (as required by the usage)

  • identity and identification (family name, given name, date of birth and pseudonym)
  • contact details (email, postal address and telephone number)
  • professional details (role, job title, etc.)

Technical data (as required by the usage)

  • identification data (IP address)
  • access data (in particular logs and tokens)
  • acceptance data (clicks)
  • location data

Origin of data

We collect our partners’ data from:

  • information provided directly by the partners,
  • electronic records or forms completed by the partners,
  • registrations and sign-ups to our online services (newsletter, social media, etc.).

Purposes

As appropriate to the situation, we process our partners’ data for the following purposes:

  • managing partner relationships,
  • awarding labels to sites and facilities in instances where our organisation has been entrusted with this function,
  • managing tourism projects (analyses and feasibility studies, support for grant applications and grant application projects),
  • creating networks or discussion fora involving various partners,
  • assisting partner service providers to bring their services to the market,
  • managing events that we organise (trade shows, workshops, AGMs, trade networking events, etc.),
  • training partner service providers,
  • identifying partner distributors,
  • producing statistics.

Retention periods

The retention period for our partners’ data is defined in accordance with the legal and contractual constraints by which we are bound and, in the absence of these, according to our needs, based among others on the following principles:

Partner data :For the duration of the contractual relationship, and then for an additional three years afterwards for the purpose of following up the relationship, without prejudice to retention obligations or limitation periods.

Technical data : 1 year from the collection date

Cookies : 13 months

Once the periods set have expired, data is either deleted, or anonymised and then retained, in particular for statistical purposes. It can also be retained if a dispute is foreseen or in progress.

Partners are reminded that deleting and anonymising data are irreversible operations. Once they have been completed, the data cannot be restored.

Lawful basis

All the processing operations that we carry out under this policy have as a lawful basis:

  • our organisation’s legitimate interest,
  • the performance of a contract, including entering into the contract.

4. Prospective customer data

Types of data collected

Non-technical data (as required by the usage)

  • identity and identification (family name, given name, date of birth and pseudonym)
  • contact details (email, postal address and telephone number)
  • professional details (role, job title, etc.)

Technical data (as required by the usage)

  • identification data (IP address)
  • access data (in particular logs and tokens)
  • acceptance data (clicks)
  • location data

Origin of data

We collect prospective customers’ data from:

  • data supplied by the prospective customer (paper form, business card, etc.),
  • electronic records or forms completed by the prospective customer,
  • data provided online (website, social media, etc.),
  • registrations and sign-ups to our online services (website, social media, etc.),
  • registration for events or competitions that we organise,
  • databases shared between several partners, populated and used by all these partners,
  • lists provided by the organisers of events or conferences in which we are involved,
  • on rare occasions, databases we rent,
  • contact details provided by specialist companies or partners

Purposes

As appropriate to the situation, we process our prospective customers’ data for the following purposes:

  • managing prospective customer relationships,
  • managing events and competitions that we organise,
  • sending out our newsletters or information feeds,
  • managing websites in conjunction with our partners,
  • promoting our organisation and tourism in Alsace and in the Vosges Mountains on social media (Facebook, Twitter, YouTube, Instagram, etc.),
  • analysing the behaviour of prospective customers,
  • managing communities,
  • producing statistics.

Retention periods

The retention period for our prospective customers’ data is defined in accordance with the legal and contractual constraints by which we are bound and, in the absence of these, according to our needs, based among others on the following principles:

Prospective customer data :3 years from the collection date or the last contact from the prospective customer
Technical data : 1 year from the collection date
Cookies : 13 months

Once the periods set have expired, data is either deleted, or anonymised and then retained, in particular for statistical purposes. It can also be retained if a dispute is foreseen or in progress.

Prospective customers are reminded that deleting and anonymising data are irreversible operations. Once they have been completed, the data cannot be restored.

Lawful basis

The purposes of processing for the prospective customer data described above are covered by the following lawful bases:

  • preparation to enter into a contract,
  • our organisation’s legitimate interest,
  • the prospective customer’s consent where the law requires this (for example to send direct marketing messages).

5. Data recipients

We ensure that data can only be accessed by authorised internal and external recipients, who are bound by an appropriate duty of confidentiality. Within our organisation, we use an authorisation policy to decide which recipients can access which data.

Traceability measures are in place for any access involving our customers’, partners’ or prospective customers’ data.

In addition, personal data can be communicated to any authority legally entitled to have knowledge of it. In such cases, we cannot be held responsible for the conditions under which the staff of these authorities access and use the data.

Internal recipients : 

Authorised staff within our organisation (staff in charge of marketing and customer, service provider and prospective customer relationship management, administrative staff and IT staff) and their line managers.

External recipients : 

  • tourism industry partners who access the shared file in which the data may appear
  • service providers and support services
  • authorised oversight service staff (auditor, departments responsible for carrying out internal controls, etc.)
  • administrative authorities and officers of the law or justice system, as appropriate

6. Rights of data subjects

Right of access and copy

Conventionally, customers, partners and prospective customers have the right to ask for confirmation as to whether data about them has been processed or not.

They also have the right to access their data, meaning the right to obtain full information regarding the processing of their personal data.

Should a customer, partner or prospective customer wish to exercise this right, they must submit the request personally and there must be no doubt as to their identity. If there is a doubt, we reserve the right to ask the person to provide proof of their identity in the format of their choice. This is most frequently a copy of their identity document.

Customers, partners and prospective customers have the right to request a copy of their personal data that is being processed. If, however, they request a further copy, we may require them to cover the cost of this.

If the customer, partner or prospective customer sends their request for a copy of their data in an electronic format, the required information will be provided in a standard electronic format, unless otherwise requested.

Customers, partners and prospective customers should be aware that this right to access data does not extend to confidential data or information, nor to any data or information which may not legally be communicated.
The right to access must not be exercised inappropriately, meaning that requests must not be submitted on a regular basis with the sole objective of disrupting the department concerned.

Updates and rectifications

We will perform requested updates and rectifications:

  • automatically when a change is made online to fields that can technically or legally be updated,
  • on receipt of a written request from the person in question, who must provide proof of identity.

Right to erasure

The right to erasure of a customer’s, partner’s or prospective customer’s data will not be applicable in cases where the processing is carried out on the basis of a legal obligation. In other situations, customers, partners and prospective customers have the right to ask for their data to be erased in the following cases only:

  • the personal data is no longer required for the purposes for which it was collected or otherwise processed,
  • the data subject is withdrawing the consent on which the processing is based and there is no other legal basis for processing,
  • the data subject is objecting to processing carried out in our legitimate interest, and there is no other compelling legitimate interest for the processing,
  • the data subject is objecting to the use of their personal data for direct marketing purposes, including profiling,
  • the personal data has been processed unlawfully.

Right to restrict processing

Customers, partners and prospective customers are informed that this right does not apply because the processing that we carry out is lawful and because all the personal data that we collect is necessary in order to achieve the purposes for which it is processed.

Right to data portability

We will accept data portability requests in specific cases relating to data communicated by customers, partners and prospective customers themselves, via our online services, and only where they fall under the purposes of consent and the performance of a contract. In such cases, the data will be provided to the person submitting the request in a structured, standard format that can be read by a machine.

Individual automated decision-making

We do not use any individual automated decision-making.

The tools on our website are provided solely to assist customers and prospective customers and shall not be construed otherwise.

Post-mortem rights

Customers, partners and prospective customers are informed that they have the right to issue directives concerning how their data should be retained, deleted and communicated after their death.

How to exercise your rights

To exercise your rights as laid out above, please contact, by email or by post, as you prefer:

Me Eric BARBRY 
Cabinet Racine
40, rue de Courcelles
75008 PARIS - FRANCE
Email : dpo-adtalsace@racine.eu

7. Additional provisions

Optional and required responses

When personal data collection forms are presented to customers, partners and prospective customers, asterisks are used to indicate which responses are required and which are optional. Where responses are required, we explain the consequences of not providing them.

Usage rights

Customers, partners and prospective customers give our organisation the right to use and process their personal data for the purposes laid out above.

However, data that we create through processing and analysing operations, also known as enriched data, remains our exclusive property (usage analysis, statistics, etc.).

Processors

Please be aware that we may involve any processor of our choice in processing your data. In such cases, we will ensure that the processor complies with their obligations under the GDPR.

We undertake to sign a written contract with all our data processors and hold them to the same data protection obligations to which we ourselves are subject. In addition, we reserve the right to audit our processors to ensure that they are complying with the provisions of the GDPR.

Cross-border data flows

We reserve the right to decide independently whether to allow the personal data we process to flow across borders.

If we transfer your personal data outside the European Union or to an international organisation, we will make you aware of this and ensure that your rights are fully respected. If necessary, we undertake to sign one or more agreements to govern cross-border data flows.

We are bound by the provisions relating to cross-border data flows, except where the derogations laid down in article 49 of the GDPR apply.

Data processing register

As the data controller, we undertake to keep an up-to-date register of data processing activities, where the law requires us to do so.

This register takes the form of a document or application listing all the processing that we as the data processor carry out.

We undertake to provide the supervisory authority, on demand, with the information it needs to ensure that the processing has been carried out in accordance with the current data privacy legislation.

8. Security

Data security measures

We are responsible for defining and implementing the technical security measures, physical or logical, that we consider appropriate to guard against the destruction, loss, alteration or unauthorised disclosure of data, whether accidental or illicit.

To this end, we may seek the assistance of any third party of our choice to carry out, as often as we deem necessary, vulnerability audits and penetration tests.

We undertake, in any situation where we change the measures used to protect the security and confidentiality of personal data, to replace them with measures offering a superior level of performance. No upgrade will be allowed to lead to a reduction in the level of security.

If we entrust all or part of our personal data processing to data processors, we undertake to specify in our agreements with these processors security guarantees in the form of technical protection measures for the data, as well as the necessary human resources.

Data protection breaches

Should a data protection breach occur, we undertake to notify the CNIL (French data protection agency) under the conditions set out in the GDPR.

If the breach involves a high risk for our customers, partners and prospective customers and their data has not been protected, we will notify the data subjects and provide them with the necessary information and recommendations.

9. Contacts

Data protection officer

We have appointed a data protection officer. His name is Eric Barbry of Cabinet Racine (a law firm) at 40 rue de Courcelles, 75008 Paris, France – Email : dpo-adtalsace@racine.eu

We will contact our data protection officer before adding any additional form of data processing.

If you wish to obtain any particular information or ask a specific question, you can contact our data protection officer who will provide you with an answer within a period of time that is reasonable considering the question asked or information requested.

If you experience any kind of problem as regards the processing of your data, you can again contact our appointed data protection officer.

Right to lodge a complaint with the CNIL

Please be aware that as a customer, partner or prospective customer whose personal data is processed, if you judge that the way your data has been processed is not compliant with the European data protection regulations, you have the right to lodge a complaint with the supervisory authority (CNIL), at the following address:

Cnil – Service des plaintes
3 place de Fontenoy- TSA 80715, 75334 PARIS CEDEX 07, France
Tel: +33 (0)1 53 73 22 22

Changes to the policy

This policy may be amended or adjusted at any time in the event of a change to the law, case law, CNIL recommendations and decisions, or common practices.

We will make customers, partners and prospective customers aware of any new version of the policy by any method of our choosing, which may be an electronic method (distribution by email or online, for example).

Further information

Should you require any further information, please contact the DPO at the address given above: Eric Barbry, Cabinet Racine, 40 rue de Courcelles, 75008 Paris, France – Email : dpo-adtalsace@racine.eu

For any other more general information about data protection, please visit the CNIL website www.cnil.fr