Personal Data Policy

Home > Personal Data Policy

Last update 07/2024

This page is subject to change, so please consult it regularly.


1. Preamble

Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter the “RGPD”) sets out, together with other applicable texts on the subject, the legal framework applicable to the processing of personal data.

 
These texts reinforce the rights and obligations of data controllers, data processors, data subjects and data recipients. In particular, they require that data subjects be informed of their rights in a concise, transparent, comprehensible and easily accessible manner.


We, the company SAS “Cité Gourmande”, whose registered office is at Agropole ZAC II BP 113 47931 Agen Cedex 9, registered in the Rennes Trade and Companies Register under number 423 697 440 (the “Company”), publish the website www.citégourmande.fr (the “Website”).


2. Object

Your privacy and the protection of your personal data are important to us.

The objectives of this Policy are to :

  • compile, in a concise, transparent, comprehensible and easily accessible format, information concerning the uses made of your personal data by the Company;
  • understand how your data is used;
  • know your rights, and how to exercise them.

This Policy relates only to processing operations for which the Company is responsible. The processing of personal data may be managed directly by the Company or through a subcontractor specifically appointed by it. This Policy is independent of any other document that may apply within the contractual relationship between the Company and you (cookies, commercial contracts, partnership contracts, etc.).


3. Data Protection Officer

The Company has appointed a Data Protection Officer to ensure compliance with personal data regulations.

You can reach him at this address: vosdonneespersonnelles@citegourmande.fr or by post at :

SAS Cité Gourmande
marketing department – personal data
Agropole ZAC II
BP 113, 47931 Agen Cedex 9


4. General principles

When the Company collects and uses your data, it does so for a specific purpose, of which you have been informed. In accordance with regulations, the purposes for which your data is collected are listed in a data processing register. They are also set out in the information notices brought to your attention, as well as in article 10 of the present Policy.


Categories of personal data processed  

The Company undertakes to collect and use only the personal data it needs to carry out its missions. The categories of personal data collected by the Company vary according to the use that will be made of them. The list of data is given in article 10 of this Policy.

The Company does not process sensitive data within the meaning of Article 9 of the RGPD (i.e. any data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation).


6. Origin of personal data processed 

Processing is only carried out by the Company if it concerns personal data collected by or for the services offered on the Site or on the Cité Gourmande mobile applications, or processed in connection with these services.

The Company may collect your personal data when:

  • you visit the citegourmande.fr website;
  • you send us a complaint, ask a question or make any other comment;
  • you communicate your personal data to us on the Site or in any other way.


7. Recipients of personal data

The Company ensures that only authorized persons and organizations have access to your data, and only for the purposes related to their missions. These may include, in particular:

  • corporate officers and employees of the Company, entities of the LE DUFF Group;
  • the Company’s service providers involved in the operation of the site, the official pages of the social networks, the execution of your order, the collection of online payments, the management of online reservations, the management and dispatch of newsletters and commercial offers, etc.
  • public bodies, exclusively to meet the Company’s legal obligations;
  • judicial and legal officers.

The Company ensures that its subcontractors comply with their obligations under applicable regulations. In addition, the Company reserves the right to audit its subcontractors to ensure compliance with applicable regulations.

Details of recipients by purpose are given in article 10 of this Policy.

 
With the exception of communication to the persons defined above and in article 10 of the present Policy, your personal data will not be communicated, transferred, rented or exchanged for the benefit of any third party whatsoever.


8. Transfer of personal data

If necessary for the purposes described in this Policy, your data may be transferred to a third country for technical reasons. Where the country concerned does not benefit from an adequacy decision (which means that it offers your personal data a degree of protection equivalent to that in force on the territory of the European Union), the Company ensures that the transfer is governed by one of the following appropriate measures:

  • standard contractual clauses approved by the CNIL;
  • adherence to an approved code of conduct in force;
  • compliance with a certification mechanism certified by an approved body;
  • binding corporate rules approved by the CNIL.

In the event that a franchise applicant wishes to complete an application form for a franchised establishment located in a country outside the European Union, the applicant is informed that the Company may, if necessary for the purposes of examining the application, transfer the personal data collected to recipients located in the said country.


9. Data retention periods

Data retention periods are defined by the Company in the light of its legal and contractual obligations. Data is kept only as long as is strictly necessary for the purposes for which it is to be used.

  

As a general rule, data used to establish proof of a right or contract will be kept for the period stipulated by the regulations in force.

 
At the end of the retention period defined for each category of personal data processed, and subject to provisions allowing archiving strictly necessary for the exercise of a right and proof of this right for the duration of applicable limitation periods or by virtue of legal obligations to which the Company is subject, the Company :

  • destroys personal data or ;
  • stores personal data in irreversibly anonymized form, so that it no longer constitutes personal data within the meaning of the applicable regulations.

You are reminded that deletion or anonymization are irreversible operations and that the Company is no longer able to restore them. 


10. Table summarizing the purposes for which your personal data is processed, data collected, data recipients, retention periods and legal basis.

The Company uses your personal data for defined purposes (why your data is used) and on legal grounds (why the Company has the right to use your data), as provided for by regulations. The table below shows the main purposes for which the Company processes personal data. For further information concerning the processing of your personal data, please contact the Data Protection Officer. This list is subject to change.

Purpose of processingCollected dataLegal basisShelf lifeInternal and external recipients
Comments and questions to customer service.Identification (surname, first name), contact details (telephone, email address), technical data (identification, connection, consent)Legitimate interest3 years from the last connection to the site– if necessary, employees of the Company’s technical service providers involved in the operation of the site,

– inspection services,

– public bodies, exclusively to meet the Company’s legal obligations, legal auxiliaries, ministerial officers,

– customer service,

– the Company’s IT department.


11. Your rights regarding your personal data

You are informed that all the rights listed below are individual rights that can only be exercised by you or by a person authorized to act on your behalf.

Right of access

You have the right to request confirmation from the Company as to whether or not your personal data is being processed. You also have the right to access and request a copy of your personal data being processed by the Company.

Customers and contacts also have a right of access.

If you submit your request for a copy of the data electronically, the information requested will be provided in a commonly used electronic form, unless you request otherwise.

You are hereby informed that this right of access does not apply to data that may not be disclosed by law.

Right to limit the processing of your data

You may ask the Company to limit the processing of your data in the cases provided for by the regulations.

Right to object to the processing of your data

You may object, at any time for reasons relating to your particular situation, to the processing of your data, the legal basis of which is the legitimate interest of the Company. If you exercise this right, the Company will ensure that it no longer processes your personal data, unless it demonstrates that it has legitimate and compelling reasons to continue this processing. These reasons must outweigh your interests and your rights and freedoms, or the processing must be justified for the establishment, exercise or defense of legal claims.

Once you have agreed to receive offers (newsletter and/or commercial offers) from the Company, you have the option to unsubscribe at any time by clicking on the link provided to you or by other means provided to you.

Right of rectification

You may request the Company to rectify or complete your personal data if it is inaccurate, incomplete, ambiguous or outdated. The Company may not be held responsible for a failure to update if the customer or contact does not update their data.

Right to withdraw your consent

Where the Company uses your personal data based on your consent, you may withdraw your consent at any time. The Company will then cease to use your personal data, without affecting any previous operations to which you had consented.

Right to erasure

You may request that the Company delete your personal data where one of the following grounds applies:

  • the data is no longer necessary in relation to the reason for which it was originally collected or processed;
  • you withdraw your consent;
  • you object to the processing of your data and there are no compelling legitimate grounds for its use;
  • the use of your data is not in accordance with the law or regulations.

Please note that this right is not a general right, it can only be exercised if one of the reasons provided for in the applicable regulations is present. If none of these reasons are present, the Company will not be able to respond favorably to your request. For example, if the Company must retain your data due to a legal or regulatory application or for the establishment, exercise or defense of rights in court.

Right to the portability of your data

You have the option to retrieve part of your data in a machine-readable format for personal use or to transmit them to a third party of your choice. This right does not apply to paper files and only applies on the basis of your prior consent or the execution of the contract. The exercise of this right must not infringe the rights and freedoms of third parties whose data may be found in the transmitted data.

Right to define post-mortem directives

You have the possibility to define specific guidelines relating to the retention, deletion and communication of your personal data after your death. These specific guidelines will only concern the processing implemented by the Company and will be limited to this scope only.

Right to lodge a complaint with the CNIL

If you believe that your “Data Protection and Liberties” rights have not been respected, you have the option of submitting a complaint to the National Commission for Data Protection and Liberties (CNIL):

CNIL – Service des plaintes : 3, place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07 

Phone : 01 53 73 22 22 


12. How to exercise your rights

You can exercise your rights by email at the following address:

vosdonneespersonnelles@citegourmande.fr or by post to:

SAS Cité Gourmande
marketing department – ​​personal data
Agropole ZAC II
BP 113, 47931 Agen Cedex 9


The Company will acknowledge receipt of your request to exercise rights and will respond to your request as soon as possible and no later than one (1) month from receipt of your request. This period may be extended by two (2) months if the request is complex, for a total of three (3) months after receipt of your initial request. In the latter case, the Company will inform you of the extension and explain the reasons for it.

If there is any doubt about your identity, the Company may ask you to provide additional information necessary for your identification.

If you wish to prove your identity by sending an identity document, make sure to send only the front in black and white, with a watermark (https://filigrane.beta.gouv.fr/).

Exercising your rights is free. However, if your requests are repetitive, excessive or abusive, you may be asked to pay a fee.

In accordance with the regulations, the Company retains data relating to the exercise of your rights for a maximum period of three (3) years and then anonymizes them.

If you have provided proof of identity, it will be kept for one (1) year after receipt of the request if proof is necessary. Failing this, the proof will be deleted immediately.


13. Mandatory or optional nature of responses

On each personal data collection form, you are informed of the mandatory or optional nature of the responses by the presence of an asterisk. In the event that responses are mandatory and you do not provide them, you will not be able to complete the contact request.


14. Links to Third Party Sites

The Company may also provide you with links to other websites. This is particularly the case for the “Brands” and “Recruitment” sections. However, the Company will not be responsible for the content or information collection policies on these websites. If you visit third-party websites, please check their information collection and privacy policies before providing them with your personal data. The Company accepts no liability in this regard.


15. Right of use granted to the company

The Company is granted by the persons concerned a right to use and process their personal data for the purposes defined above.


16. Security of your data

The Company attaches particular importance to the security of your personal data. Appropriate technical and organizational measures are implemented to ensure that your data is processed in a way that guarantees its protection against loss, destruction or accidental damage that could affect its confidentiality or integrity.

When creating or selecting a new tool for using your personal data, the Company ensures that it will offer an adequate level of protection. The Company enters into contracts with its subcontractors and partners that clearly define the terms and conditions for using your data. In the event of an incident involving your personal data, the Company has implemented a specific procedure. In the event of a high risk to your privacy, rights and freedoms, the Company will inform you of this incident, in accordance with its obligations in this area.