Article 1. Parties to this contract
Between the undersigned:
1° HOTEL CRILLON LE BRAVE, société par actions simplifiée with a capital of EUR 776 200,00, registered on the Paris Trade and Companies Register under number 349 910 547, with registered office at 5 avenue Bertie Albrecht 75008 Paris, and with VAT number FR78349910547.
Hereinafter referred to as the “Controller”
And
2° Any natural person
- browsing the Controller’s website;
AND/OR
- benefiting from the hotel services and/or related services offered by the Controller.
Hereinafter referred to as the “Data Subject”.
The parties have agreed as follows:
Article 2. Purpose
The present Privacy Policy shall apply, without restrictions or reservations, between the Data Subject and the Controller.
The purpose of the present Privacy Policy is to provide information regarding the way in which the Controller collects and processes the Data Subject’s Personal Data, in compliance with the legislation in force, and in particular European Regulation n° 2016/679 and law n°78-17 (hereinafter referred to as the “Legislation”), in relation to:
- The hotel services and related services offered by the Controller to the Data Subject (hereinafter referred to as the “Service”);
- The website www.crillonlebrave.com (hereinafter referred to as the “Website”).
Article 3. Definitions
- Controller means the company HOTEL CRILLON LE BRAVE, société par actions simplifiée, with a capital of 776 200,00 euros, registered on the Paris Trade and Companies Register under number 349 910 547, with registered office at 5 avenue Bertie Albrecht 75008 Paris, and with VAT number FR78349910547, which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
- Data Subject means any natural person browsing the Website and/or benefiting from the Controller’s Services, if they can be directly or indirectly identified, especially by reference to an identifier, such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons.
- Browsing means consulting, becoming acquainted with, ordering and/or purchasing Services on the Website.
- Service means the the hotel services and related services offered by the Controller to the Data Subject, notably on the Website.
- Website means the infrastructure developed by the Controller in line with computerised formats that can be used on the internet, including data of various natures, and notably text, sounds, fixed or animated images, videos and databases intended to be viewed by the Data Subject in order for the Data Subject to find out about, reserve, order or purchase a Service (www.crillonlebrave.com).
- Personal Data means any information relating to the Data Subject.
- Filing system means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
- Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Pseudonymisation means the processing of Personal Data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.
- Legislation means any law or regulation relating to the protection of Personal Data, particularly European Regulation n°2016/679 and law n°78-17.
- Processor means a natural or legal person, public authority, agency or body other than the Controller which processes Personal Data on behalf of the Controller.
- Recipient means a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a Third Party or not. However, public authorities which may receive Personal Data, notably in the framework of a particular inquiry, shall not be regarded as Recipients in the sense of the present definition.
- Third Party means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorised to process Personal Data, notably tour operators, travel agencies and booking systems.
- Consent means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, agrees to the Processing of his or her Personal Data by the Controller.
- Supervisory Authority means the Commission nationale de l’informatique et des libertés (CNIL), an independent public authority responsible for the protection of personal data in France.
- DPO means the data protection officer, i.e. Bouchara – Avocats law firm (17 rue du colisée – 75008 Paris, info.rgpd[@]maisonspariente.com) responsible for assisting the Data Subject in exercising their rights over their Personal Data.
AGREEMENT
Article 4. Principles of Personal Data Processing
In compliance with the Legislation, the Controller shall undertake to respect the following principles in the Processing of all Personal Data:
- Lawfulness;
- Fairness;
- Transparency;
- Purpose limitation;
- Data minimisation;
- Accuracy;
- Storage limitation;
- Integrity;
- Confidentiality:
- Responsibility;
Article 5. Personal Data subject to Processing
As the Data Subject browses the Website and/or in the Controller’s performance of a Service, the Controller is required to collect and process certain Personal Data, notably:
- Personal information (name, surname, gender, postal address, email address, telephone number, date of birth, nationality);
- Bank details (credit card number);
- Copies of your identity documents (identity card, passport, driving license);
- Information on your stay (arrival and departure date, reservation number);
- Preferences (type of bedding, smoker/non-smoker, diet, allergies, special requests);
- Technical information (browsing behaviour on the Website, IP address).
Article 6. Context of the Processing
The Data Subject’s Personal Data may be collected and processed by the Controller on various occasions, notably:
- Performance of a Service;
- Room reservations;
- Registration and payment;
- Requests and complaints;
- Transmission of Personal Data by a Third Party;
- Browsing on the Website;
- Logging onto the Website;
- Contacting the Controller on the Website;
Article 7. Purpose of Processing and storage of Personal Data
Purpose of Processing | Legal basis for Processing | Duration of storage of Personal Data |
Performance of the Services and compliance with accounting standards |
|
10 years from the date of reservation |
Management of consumption and access to rooms |
|
3 years from the end of the Data Subject’s stay |
Management of commercial relations and sales leads |
|
3 years from the date of last contact with the Data Subject |
Improvement and personalisation of the Services |
|
3 years from the date of last contact with the Data Subject |
Complaints management |
|
3 years from the date of last contact with the Data Subject |
Security of premises |
|
1 month |
Security and improvement of the Website |
|
13 month |
Statistics |
|
3 years from the date of last contact with the Data Subject |
Compliance with the Legislation |
|
Duration defined by the Legislation |
The Controller reserves the right to anonymise the personal data subject to Processing before erasing it.
Article 8. Recipients of Personal Data
In principle, the Controller is the sole Recipient of all Personal Data.
In its performance of a Service, the Controller may be obliged to transfer the Personal Data to external or internal Recipients.
The following Recipients may be required to process your personal data:
- The Controller’s hotel staff;
- The Controller’s processor;
- Banks;
- Credit card issuers;
- Website hosts;
- The Controller’s business partners;
- The DPO;
- The authorities.
The Controller shall undertake to require sufficient guarantees from the Recipients that they will implement appropriate technical and organisational measures in such a manner that Processing meets the applicable legal and regulatory requirements and ensures the protection of the rights of the Data Subject.
The Controller may communicate the Personal Data that is subject to Processing with any Recipient or Third Party whenever there is a legal obligation to do so or when the Controller believes, in good faith, that it is necessary to do so in order to:
- Respond to a complaint against it;
- Comply with legal or administrative requirements;
- Enforce any contract to which the Data Subject is a party;
- Protect the vital interests of any natural person;
- Carry out a task in the public interest.
- If the Controller is acquired by a Third Party, the Controller reserves the right to share the Personal Data with the acquiring Third Party, subject to the Third Party complying with the present Privacy Policy.
Article 9. Transfer of Personal Data outside of the European Union
The Controller shall store all Personal Data on secure servers located within the European Union.
The Controller shall only transfer the Personal Data outside of the European Union if express prior authorisation is granted by the Data Subject.
Article 10. Data Subject’s rights over their Personal Data
The Data Subject has a number of rights over their Personal Data that he or she may exercise, unless otherwise stated in the applicable legislation or regulations, by submitting a request to the DPO at the following address:
CABINET BOUCHARA – AVOCATS
Service DPO
17 rue du Colisée – 75008 PARIS
info.rgpd[@]maisonspariente.com
The DPO shall assist the Data Subject in exercising their rights over their Personal Data with the Controller.
If there is reasonable doubt over your identity, the DPO may ask you to attach a copy of an official ID document to support your request.
Requests shall be processed as quickly as possible, and no later than the deadlines stipulated by the Legislation.
Article 10.1. Right of access
The Data Subject shall have the right to obtain from the Controller confirmation as to whether or not Personal Data concerning him or her are being processed, and, where that is the case, access to the Personal Data and the following information:
- The purposes of the processing;
- The categories of Personal Data concerned;
- The Recipients or categories of Recipient to whom the Personal Data have been or will be disclosed, in particular Recipients in third countries or international organisations;
- Where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;
- The existence of the right to request from the Controller rectification or erasure of Personal Data or restriction of processing of Personal Data, or to object to such processing;
- The right to lodge a complaint with a supervisory authority;
- Where the Personal Data are not collected from the Data Subject, any available information as to their source;
- The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.
The Controller shall provide a copy of the Personal Data undergoing Processing. For any further copies requested by the Data Subject, the controller reserves the right to charge a reasonable fee in line with administrative costs.
Article 10.2. Right to erasure and rectification
The Data Subject shall have the right to obtain from the Controller the rectification and/or erasure of inaccurate or outdated Personal Data without undue delay, unless the circumstances prevent the Data Subject from exercising this right, notably:
- The exercise of the right to freedom of expression and information;
- Compliance with a legal obligation;
- Public interest in terms of public health, archiving, scientific and historical research, and statistical research;
- The establishment, exercise or defence of legal claims.
Article 10.3. Right to object
The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to the Processing of his or her Personal Data which is based on the performance of a task carried out in the public interest or for the purposes of the legitimate interests pursued by the Controller.
The Controller shall no longer process the Personal Data unless the Controller demonstrates compelling legitimate grounds for the Processing which override the interests, rights and freedoms of the Data Subject, or for the establishment, exercise or defence of legal claims.
The Data Subject shall also have the right to object at any time to the Processing of his or her Personal Data by the Controller for the purpose of direct marketing, where the Data Subject is related to such direct marketing.
Finally, where Personal Data are processed for scientific or historical research purposes or statistical purposes, the Data Subject, on grounds relating to his or her particular situation, shall have the right to object to the Processing of his or her Personal Data, unless the Processing is necessary for the performance of a task carried out for reasons of public interest.
Any consumer has the option of registering free of charge on the BLOCTEL telephone cold calling opposition list
Article 10.4. Right to restriction of processing
The Data Subject shall have the right to obtain from the Controller restriction of the Processing of his or her Personal Data where one of the following applies:
- The accuracy of the Personal Data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the Personal Data;
- The Processing is unlawful and the Data Subject opposes the erasure of the Personal Data and requests the restriction of their use instead;
- The Controller no longer needs the Personal Data for the purposes of the Processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
- The Data Subject has objected to Processing pursuant to Article 10.3, pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.
Any Data Subject who has obtained the restriction of Processing of their Personal Data shall be informed by the Controller before the restriction of Processing is lifted.
Article 10.5. Right to data portability
The Data Subject shall have the right to receive the Personal Data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format, and shall have the right to transmit those data to another controller without hindrance from the Controller, where:
- The Processing is based on the Data Subject’s Consent or on the performance of a contract to which the Data Subject is a party;
- The Processing is carried out by automated means.
In exercising his or her right to data portability, the Data Subject shall have the right to have their Personal Data transmitted directly from the Controller to another controller, where technically feasible.
Article 10.6. Right to lodge a complaint with the Supervisory Authority
The Data Subject shall have the right to lodge a complaint with the Supervisory Authority if he or she believes that the Controller is illegally Processing Personal Data.
Article 10.7. Right to define instructions for the management of Personal Data
The Data Subject shall have the right to define instructions for the management of his or her Personal Data following his or her death with the Controller, who will employ all available technical means to ensure that this wish is respected.
Article 11. Security of Personal Data
The Controller shall take all suitable technical and organisational measures to protect the Personal Data from destruction, loss, alteration, misuse and unauthorised access, modification or disclosure, whether these actions are intentional or accidental.
The purpose of these technical and organisational measures is to ensure the confidentiality, integrity, availability and resilience of the Website and the information systems on which the Filing Systems are stored.
In order to provide the Data Subject with a secure Browsing experience, the Website is encrypted using SSL (Secure Socket Layer).
Article 12. Modification of the Privacy Policy
The Controller reserves the right to occasionally modify the present Privacy Policy.
In the event that the present Privacy Policy is modified significantly, the Data Subject will be personally informed of the new Privacy Policy.
All Data Subjects are invited to regularly consult the present Privacy Policy to familiarise themselves with any possible modifications.
Data Subjects may send any questions they have on the present Privacy Policy to the DPO at the following address: info.rgpd[@]maisonspariente.com.
Article 13. Invalidity of the Privacy Policy
Should any of the stipulations the present Privacy Policy be found to be invalid in relation to a rule of law in force or a definitive legal decision, it shall be deemed unwritten, however the validity of the Privacy Policy as a whole and the remainder of its provisions shall not be affected.
In accordance with law no. 2020-901 of July 24, 2020 aimed at regulating telephone canvassing and combating fraudulent calls, any professional reserves the right to canvass a consumer registered on the telephone canvassing opposition list when the canvassing takes place as part of the performance of a current contract and is related to the subject of the said contract, including when it involves offering the consumer products or services related to or complementary to the subject of the current contract or of a nature to improve its performance or quality.