Privacy Policy – iledere.com | Destination Île de Ré

1. What is the purpose of this privacy policy?

The purpose of this policy is to meet the information obligations of SPL Destination Ile de Ré (hereinafter “we”) under the RGPD (article 12) and any applicable regulations, to document the rights and obligations of customers, prospective customers and partners with regard to the processing of their personal data.

This policy sets out the conditions under which we process the personal data to which we have access in the course of our business. For a proper understanding of this policy, it is specified that :

Customers are understood to be any natural or legal person who has entered into a contract of any kind with our organisation;
Partners are understood to be all natural or legal persons involved in the tourism sector and maintaining relations with our organisation in this capacity, such as, in particular, local tourism professionals, project promoters and internal and external investors, holiday distributors, local authorities and their groupings or institutional partners;
Prospects are understood to be any potential customer or any contact recipient of promotional messages from our organisation whose data has been collected directly via contact forms, events or indirectly via any of our organisation’s partners.

2. What data do we process?

In the course of our business, we may need to collect the following data:

identity (e.g. civil status, surname, first name, date of birth, pseudonym, customer number) ;
contact details (e.g. personal email, professional email, postal address, fixed or mobile telephone number);
professional/personalinformation where necessary;
transaction data (amount and date of transactions);
technical data depending on use (identification or connection data such as IP address or logs, browsing data).

3. How do we collect your data?

We collect the data of our customers, prospects and partners from :

Data provided by the contact person (paper form, order form, contract, business card);
Electronic forms filled in by the contact person;
Data entered online (website, social networks, newsletter registration);
Registration for events that we organise;
Databases shared between several partners, fed and used by all these partners;
Communication of contacts via specialised companies or partners of our organisation.

4. What processing do we carry out?

We process your data for the following purposes and in accordance with the following legal bases:

Main purposes	Sub-purpose	Legal basis
Communication and promotional activities	Communication campaigns	Performance of a task in the public interest, contract performance, consent (canvassing)
	Sending newsletters or information feeds
	Event management
	Enrichment of databases (Data tourisme, SIT)
	Partner search operations
Management of contractual relations with customers and service providers	Selling tourist holidays directly or via distribution partners	Carrying out a mission of public interest, pre-contractual measures and contract performance
	Drafting, signing and monitoring contracts
	Managing customer accounts
	Ticketing management
	Billing and payment management
	Customer support and complaints management
	Satisfaction surveys
Digital Analytics	Cookies and other trackers: Analysis of user behaviour Optimisation of the user experience Personalisation of content and recommendations	Carrying out a public interest mission, consent for any advertising cookies

5. How long is your data kept?

We determine how long we keep the data of our customers, prospects and partners in the light of the legal and contractual constraints that apply to us and our sector of activity, or, failing that, according to our needs.

As a matter of principle, data relating to our customers, prospective customers and partners must be kept for the time strictly necessary to achieve the purposes for which it was collected. More specifically, we undertake to comply with the following retention periods:

Processing	Retention period
5 years from the end of the contractual relationship.	10 years for contracts over 120 euros concluded electronically.
Commercial correspondence (order forms, delivery notes, invoices, etc.)	10 years from the end of the financial year.
Data processed for canvassing purposes	For customers: 3 years from the end of the commercial relationship (from the end of a contract) or from the last contact from the customer. For prospects: 3 years from the date of collection or the last contact from the prospect (request for documentation, clicking on a link in an e-mail, etc.).
Technical data	1 year from the date of collection
Cookies	See cookies policy

The periods indicated in the table above are necessarily extended for the legal period of prescription as evidence in the event of litigation. In the latter case, the retention period is extended for the duration of the dispute.

Once the time limits have expired, the data is either deleted or kept after being rendered anonymous, in particular for statistical purposes. They may be kept for pre-litigation and litigation purposes.

Please note that deletion or anonymisation are irreversible operations and that we are not subsequently able to restore them.

6. Who has access to your personal data?

We ensure that data is only accessible to authorised internal or external recipients who are subject to an appropriate obligation of confidentiality.

Internally, we decide which recipient may have access to which data in accordance with an authorisation policy.

In addition, personal data may be communicated to any authority legally authorised to have access to it. In this case, we are not responsible for the conditions under which the staff of these authorities have access to and use the data.

Internal recipients	External recipients
Authorised staff within our organisation (staff in charge of marketing, customer, partner and prospect relationship management, administrative staff, IT staff) and their line managers.	– Tourist partners who access the shared file in which the data is likely to appear; – Service providers or support services; – Administration, legal representatives where applicable.

We inform you that we may involve any subcontractor of our choice in the processing of your personal data. In this case, we will ensure that the processor complies with its obligations under the RGPD.

We reserve the right, including via our sub-contractors, to transfer data outside the European Union.

If data is transferred outside the European Union, we ensure that this transfer is subject to specific measures as imposed by the RGPD. You can ask our Data Protection Officer for access to the documents authorising transfers, when they take place.

7. What are your rights and how can you exercise them?

As data subjects, you may exercise your rights in accordance with the GDPR and the Data Protection Act directly with us.

You have the following rights:

Access: to know and obtain a copy of your personal data;
Rectification: correct or update your data;
Deletion: to request the deletion of your data in certain cases;
Limitation: to temporarily suspend the use of your data in certain situations;
Portability: receiving your data in a readable format or transferring it to another service;
Opposition: to the processing of your data for legitimate reasons or for canvassing purposes.

To exercise your rights, or if you have any questions about the processing of your personal data, you can write directly to the DPO at [email protected].

You have the right to lodge a complaint with the CNIL if you feel that your rights have not been respected, at the following address

CNIL – Complaints Department

3 Place de Fontenoy- TSA 80715 – 75334 PARIS CEDEX 07

Tel: 01 53 73 22 22

8. Security and data protection

We define and implement appropriate security measures to prevent the destruction, loss, alteration or unauthorised disclosure of data. The computer systems and paper media used are organised and protected to ensure the security and confidentiality of your information.