Privacy Policy

Data protection charter for clients, prospects and partners

Table of contents

1. General provisions

Preamble

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data (hereinafter the GDPR) establishes the legal framework applicable to the processing of personal data. This regulation strengthens the rights and obligations of data controllers, processors, data subjects and recipients of data.

Subsequently, in order to implement the changes introduced by the GDPR, French Law No. 78-17 of 6 January 1978, known as the Data Protection Act (Informatique et Libertés), was amended by Law No. 2018-493 of 20 June 2018 and Ordinance No. 2018-1125 of 12 December 2018 relating to data protection.

This charter is implemented by the Nouvelle-Aquitaine Regional Tourism Board (hereinafter referred to as “CRTNA”). Our non-profit organisation, governed by the French law of 1901, contributes to implementing the tourism policy defined by the Nouvelle-Aquitaine Regional Council. Its main missions include tourism observation, organisation and the promotion of the region both nationally and internationally.

CRTNA manages regional tourism information systems (LEI and SIRTAQUI) in partnership with departmental organisations (ADT / CDT / Departmental Councils). Together, they support the deployment of these tools across the regional network of tourist offices, also mobilising sector leaders.

As part of our activities, we process personal data relating to our partners, clients and prospects. For the proper understanding of this charter, the following definitions apply:

  • Partners refer to any natural or legal persons operating in the tourism sector who are members of our association and/or maintain a relationship with our organisation. This includes tourism professionals in the region, project leaders, internal and external investors, travel distributors, local authorities and their groups, as well as institutional partners.
  • Clients refer to any natural or legal person engaged in a contractual relationship of any kind with our organisation. Our organisation works with both tourism professionals and the general public.
  • Prospects refer to any potential client or contact receiving promotional communications from our organisation whose data has been collected directly via contact forms or events, or indirectly via a partner organisation.

Purpose and scope

This personal data protection charter applies to the processing of personal data relating to our partners, clients and prospects.

Its purpose is to fulfil our organisation’s obligation to provide information and to formalise the rights and obligations of partners, clients and prospects regarding the processing of their personal data.

This charter applies only to processing operations for which we are responsible and to data classified as “structured”.

Personal data processing may be managed directly by our organisation or by a processor specifically designated by us.

This charter is independent of any other document governing the contractual relationship between us and our partners, clients or prospects. We do not process personal data relating to partners, clients or prospects unless such data has been collected by or for our services, or processed in connection with them, and complies with the general principles of the GDPR.

Any new processing activity, modification or deletion of existing processing will be communicated to partners, clients and prospects through an update of this charter.

2. Partners’ data

Types of data collected

Non-technical data (depending on use cases):

  • identity and identification (surname, first name, date of birth, username)
  • contact details (email address, postal address, telephone number)
  • professional information (position, job title, etc.)
  • banking information (bank account details – IBAN)
  • health data if a participant, particularly during educational tours, needs to disclose such information

Technical data (depending on use cases):

  • identification data (IP address)
  • connection data (logs, tokens, etc.)
  • consent data (clicks)
  • location data

Data sources

We collect partners’ data from:

  • information provided directly by partners
  • electronic forms completed by partners
  • information entered through an extranet dedicated to partners
  • subscriptions to our online services (newsletter, social media)

Purposes

Depending on the situation, we process partners’ data for the following purposes:

  • management of partner relationships
  • certification and labelling of tourism sites and facilities for sectors managed by the organisation, including “Villes et Villages Fleuris”
  • tourism engineering operations (diagnostics, feasibility studies, project support and funding applications)
  • networking and consultation activities between partners
  • support for marketing partner services
  • management of events we organise (trade fairs, workshops, etc.)
  • training activities for partners
  • search for distribution partners
  • statistical analysis

Data retention periods

The retention period for partners’ data is determined according to legal and contractual obligations or our operational needs, in particular according to the following principles:

  • Client-related data: for the duration of the contractual relationship plus 3 years for marketing and outreach purposes, without prejudice to legal retention obligations
  • Technical data: 1 year from collection
  • Cookies: 13 months

Once these periods have expired, data is either deleted or anonymised, particularly for statistical purposes. Data may also be retained in the event of pre-litigation or litigation.

Partners are reminded that deletion or anonymisation is irreversible and that we will no longer be able to restore the data afterwards.

Legal basis

The processing operations carried out under this charter are based on the implementation of contractual or pre-contractual measures or on our public interest mission.

3. Clients’ data

Types of data collected

Non-technical data (depending on use cases):

  • identity and identification (surname, first name, date of birth, username, client number)
  • contact details (email address, postal address, telephone number)
  • banking details (IBAN)
  • professional or personal information when necessary

Technical data (depending on use cases):

  • identification data (IP address)
  • connection data (logs, tokens)
  • consent data (clicks)
  • location data

Data sources

We collect clients’ data from:

  • information provided by the client (paper form, purchase order, contract, business card)
  • electronic forms completed by the client
  • data entered online (website, social networks)
  • registration for events we organise
  • shared databases between several partners
  • exceptionally, rented or purchased databases
  • contact details provided by specialised companies or partner organisations

Purposes

Clients’ data may be processed for the following purposes:

  • customer relationship management
  • sale of tourism stays directly or through distribution partners
  • management of events we organise
  • sending newsletters or information updates
  • management of client accounts
  • improvement of our services
  • compliance with administrative obligations
  • community management
  • statistical analysis

Data retention periods

Client data: duration of the contractual relationship plus 3 years for marketing purposes

Technical data: 1 year from collection

Cookies: 13 months

Once the retention period expires, data is deleted or anonymised, except where required for legal proceedings.

Clients are informed that deletion or anonymisation is irreversible and that the data cannot be restored.

Legal basis

Processing carried out under this charter is based on contractual or pre-contractual measures, or in certain cases on client consent (for example, sending marketing communications).

4. Prospects’ data

Types of data collected

Non-technical data:

  • identity and identification (surname, first name, date of birth, username)
  • contact details (email address, postal address, telephone number)

Technical data:

  • identification data (IP address)
  • connection data (logs, tokens)
  • consent data (clicks)
  • location data

Data sources

Prospect data may be collected through:

  • forms completed by the prospect
  • electronic forms
  • data entered online (website or social networks)
  • subscriptions to our online services
  • registration for events we organise
  • shared databases with partner organisations
  • lists provided by event or conference organisers
  • exceptionally rented databases
  • contacts provided by specialised companies or partners

Purposes

Prospect data may be processed for:

  • management of prospect relationships
  • management of events we organise
  • sending newsletters and information updates
  • management of partner websites
  • promotion of our organisation and tourism through our website and social networks (Facebook, Twitter, YouTube, Instagram, etc.)
  • behavioural analysis
  • community management
  • statistical analysis

Data retention periods

Prospect data: 3 years from collection or last contact with the prospect

Technical data: 1 year

Cookies: 13 months

Once these periods have expired, data is deleted or anonymised, except in cases of litigation.misation sont des opérations irréversibles et que nous ne sommes plus, par la suite, en mesure de les restaurer.

Legal basis

The processing of prospect data is based on:

  • the execution of pre-contractual measures
  • the legitimate interest of our organisation
  • the prospect’s consent where required by law (for example, marketing communications)

5. Data recipients

We ensure that personal data is accessible only to authorised internal or external recipients subject to confidentiality obligations.

Internally, access rights are defined according to an authorisation policy.

All access to personal data relating to clients, partners and prospects is logged and traceable.

Personal data may also be disclosed to any authority legally entitled to access it. In such cases, we are not responsible for how such authorities process the data.

Internal recipients:

  • authorised staff within our organisation (marketing teams, customer relations teams, administrative staff, IT staff) and their managers

External recipients:

  • tourism partners accessing shared databases
  • service providers and support services
  • authorised audit and control personnel (auditors, internal control services)
  • public administrations or judicial authorities where applicable

6. Individuals’ rights

Partners, clients and prospects have the following rights regarding their personal data:

  • right of access and copy
  • right to rectification and updating
  • right to erasure (in certain circumstances)
  • right to restriction of processing
  • right to data portability
  • right to define post-mortem directives

Requests can be made by email at: dpo@na-tourisme.com

or by post at:

CRT Nouvelle-Aquitaine
4 place Jean Jaurès
CS31759
33074 BORDEAUX Cedex
Franceès, CS31759,
33074 BORDEAUX Cedex

7. Additional provisions

Additional provisions cover:

  • mandatory or optional nature of information requested in forms
  • right of use of data by the organisation
  • use of subcontractors
  • cross-border data transfers
  • maintenance of a processing register

The organisation commits to complying with GDPR requirements and ensuring its processors do the same.

8. Security

We implement appropriate technical, organisational and physical security measures to protect personal data against loss, destruction, alteration or unauthorised disclosure.

In the event of a personal data breach, we will notify the CNIL in accordance with GDPR requirements and inform affected individuals if the breach poses a high risk.

9. Contact

Data Protection Officer (DPO)

Our Data Protection Officer can be contacted at: dpo@na-tourisme.com.

If you have any questions regarding the processing of your personal data, you may contact the DPO who will respond within a reasonable timeframe.

Right to lodge a complaint

Individuals may lodge a complaint with the French supervisory authority:
Cnil – Service des plaintes
3 Place de Fontenoy- TSA 80715 – 75334 PARIS CEDEX 07
Tél : 01 53 73 22 22

For further information

For any additional information, you may contact the Data Protection Officer / GDPR contact person at the above-mentioned address, namely: dpo@na-tourisme.com.

For more general information on the protection of personal data, you may consult the CNIL website (www.cnil.fr).