Personal data policy
1. Preamble - Who we are
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter the "GDPR") sets out, together with the other texts applicable in this area, the legal framework applicable to the processing of personal data. These texts strengthen the rights and obligations of data controllers, data processors, data subjects and data recipients. In particular, they require that data subjects be informed of their rights in a concise, transparent, comprehensible and easily accessible manner. The company SAS "BRIDOR", whose registered office is ZA OLIVET - 35530 Servon sur Vilaine, registered in the Rennes Trade and Companies Register under number 491 668 893 (the "Company"), publishes the websites or mobile applications below (the "Site" or "Application") and implements the personal data processing described below:
Your personal data is very important to us, and through this document we are providing you with all the information you need to know what we do with your personal data, and what rights you can exercise at any time. For a proper understanding of this policy it is specified that
"Personal data" means any information that makes you directly or indirectly personally identifiable, including your full name, address, telephone number, e-mail address, bank details, user ID, password, cookies, IP address and other information that allows you to be identified and that you make available to us at any time;
"Data controller": the natural or legal person who determines the purposes and means of the processing of personal data defined in this policy. Under the present policy, Bridor is responsible for processing;
"Processor": a natural or legal person who processes personal data on behalf of the controller. In practice, this refers to the service providers with whom the Company works and who may have access to personal data;
"Data subjects" or "you": means persons who can be identified, directly or indirectly: with respect to the Site or the Applications: Bridor's customers and prospects. The Sites and Applications also enable the Company to manage recruitment: information on the processing carried out is available HERE.
"Recipients" means the natural or legal persons who receive personal data. The recipients of the data may therefore be both internal recipients and external bodies.
The purpose of this policy is to satisfy the Company's obligation to provide information and thus to formalise the rights and obligations of the persons concerned by the processing of personal data. This policy only covers the processing operations for which the Company is responsible. The processing of personal data may be managed directly by the Company or through a processor specifically appointed by the Company. This policy is independent of any other document that may apply within the contractual relationship between the Company and its customers and contacts (cookies, commercial or partnership contracts, etc.).
3. General principles and commitments
Processing is only carried out in relation to personal data collected by or for the services offered on the Website or the Applications, or processed in connection with those services and your relationship with Bridor. We may collect your personal data when:
you visit the Site or the Applications;
you create an account on the Site or on the Applications;
you subscribe to the newsletter;
send us a complaint, ask a question or make any other remark;
you provide us with your personal data on the Site or the Applications or in any other way.
You will be informed of any new processing, modification or deletion of existing processing. The Company does not process sensitive data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person). The Company does not make automated individual decisions.
4. Processing and types of data collected per processing
1) creating an account
Non-technical data Technical data (on site / Applications)
* Identification: surname / first name / title
* Contact details: telephone / e-mail address * Identification data (IP)
* Connection data (including logs)
2) Questions to customer service
Non-technical data Technical data (on site / Applications)
* Identification: surname / first name / title
* Contact details: telephone / e-mail address * Identification data (IP) if the comment or question is addressed via the online form
* Connection data (e.g. logs) if the comment or question is sent via the online form
5. Purposes of the processing
Depending on the case, the Company processes your data for the following purposes:
manage the relationship with our customers;
handle and resolve all your complaints or questions;
collect your opinion on Bridor products;
monitor, develop and improve the Site, the Applications or our services;
to send our customers information (newsletter, etc.) and commercial offers concerning existing or new products and services related to Bridor and its world;
answer questions asked (by phone or online);
meet our legal or administrative obligations.
6. Legal basis
The treatments are based on :
the performance of a contract to which you are a party for the use of the services offered on the Sites or the Applications;
the legitimate interest in the "customer service" section and customer opinions, canvassing, sending information and newsletters.
7. Recipients of the data
The Company ensures that data is only accessible to the following authorised internal or external recipients:
as the case may be and depending on the purposes of the processing: company officers and employees, entities of the Le Duff Group related to Bridor's activity;
if necessary, employees of the Company's technical service providers (subcontractors) who contribute to the operation of the Site, the Applications, the official pages of the Company's social networks, and who contribute to the execution of your order, collect your payment, send you information and commercial offers. To date, these are the following companies:
MEDIAVEILLE: SEO agency, traffic data processing (google track manager)
DELAWARE: Third party application maintenance for the website and applications
IN-TACT: Mobile application developer
SALESFORCES: Access to prospect and customer data
public bodies, exclusively to meet the Company's legal obligations,
judicial officers, ministerial officers. The Company ensures that its subcontractors comply with their obligations under the applicable regulations.
In particular, the Company undertakes to sign a written contract with all of its subcontractors and to impose the same data protection obligations on them. In addition, the Company reserves the right to audit its subcontractors to ensure compliance with the provisions of the applicable regulations. With the exception of communication to the persons defined above, your personal data will not be communicated, transferred, rented or exchanged for the benefit of any third party whatsoever.
8. Transfer of personal data
If necessary for the purposes described above, your data may be transferred to a third country for technical reasons. Where the country concerned does not benefit from an adequacy decision (which means that they offer your personal data a degree of protection equivalent to that in force in the European Union), the Company ensures that the transfer is subject to one of the following appropriate safeguards
- standard contractual clauses approved by the CNIL,
- our adherence to an approved code of conduct in force,
- compliance with a certification scheme certified by an approved body,
- binding business rules approved by the CNIL.
You can obtain a copy of the guarantees in question by requesting it under the conditions defined below in Article 11.
9. Shelf life
The duration of data retention is defined by the Company in the light of the legal and contractual constraints on it.
Treatment Shelf life Customer accounts 3 years after collection Newsletter 3 years after the last connection Customer service section 3 years after collection
In general, data enabling proof of a right or a contract to be established, which must be kept in order to comply with a legal obligation, will be kept for the period provided for by the law in force. At the end of the retention period defined for each of the categories of personal data processed, and subject to the provisions allowing archiving strictly necessary for the exercise of a right and the proof of this right for the duration of the applicable limitation periods or by virtue of the legal obligations to which the Company is subject, the Company :
- destroys the personal data, or
- stores such personal data in an irreversibly anonymised form, so that such data no longer constitutes personal data within the meaning of the applicable regulations. It is recalled that deletion or anonymisation are irreversible operations and that the Company is no longer able to restore them.
10. Your rights
1° Right of access You traditionally have the right to request confirmation as to whether or not data concerning you are being processed. You also have a right of access. You have the right to request a copy of your personal data being processed from the Company. However, in the event of a request for an additional copy, the Company may require you to pay the cost of this. If you make your request for a copy electronically, the information requested will be provided in a commonly used electronic form, unless otherwise requested. You are informed that this right of access may not relate to data which the law does not allow to be communicated.
2° Right of rectification You may ask the Company to update your data or do so yourself on your customer area. However, the Company cannot be held responsible for not updating your data if you do not update it.
3° Other rights Under the conditions defined by the applicable texts, you also have, in certain cases, a right to erasure (article 17 of the RGPD), a right to object (article 21 of the RGPD), a right to limitation (article 18 of the RGPD), a right to portability (article 20 of the RGPD), the right to define directives relating to the fate of your personal data after your death (art. 32 of the amended law of 6 January 1978).
4° Right to lodge a complaint with the CNIL You are informed of the right to lodge a complaint with a supervisory authority, i.e. the Cnil in France, if you consider that the processing of personal data concerning you does not comply with the regulations, at the following address
Cnil - Service des plaintes : 3, place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 Tél : 01 53 73 22 22
11. How to exercise your rights
The request must be sent by e-mail to firstname.lastname@example.org or by post to DPO GROUPE LE DUFF, 52 AVENUE DU CANADA, 35200 RENNES. The persons concerned are informed that these are rights that can only be exercised by them. To meet this obligation, the Company will verify their identity. If a request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Company may require payment of reasonable fees that take into account the administrative costs incurred in providing the information, making the communications or taking the measures requested; or refuse to comply with such requests.
12. Optional or compulsory nature of the answers
You are informed on each personal data collection form of the compulsory or optional nature of the answers by the presence of an asterisk. If some answers are compulsory and you do not provide them, you will not be able to access the services offered on the Bridor customer area.
13. Links to third party sites
The Company may provide links to other websites. However, the Company is not responsible for the content or the information collection policies on these websites. If you visit the websites of third parties, we recommend that you check their information collection and privacy policies. The Company accepts no responsibility in this regard. Please check these policies before providing your personal data to these websites.
14. Prospecting (email, sms, phone)
Once you have agreed to receive offers (newsletter and/or commercial offers) from the Company, you may unsubscribe at any time by clicking on the link provided or by any other means available to you, in particular by writing to us as defined in article 11 above.
15. Right of use granted to the Company
The Company is granted the right to use and process the personal data processed for the purposes defined above.
The Company implements such security measures as it considers appropriate to protect against accidental or unlawful destruction, loss, alteration or unauthorised disclosure of data. These measures include mainly:
the use of security measures for access to the premises (locked offices, badges, etc.);
login and password for all our business applications;
the management of authorisations for access to data;
VPN for remote connections ;
* Regular security audits (penetration tests, etc.).
To this end, the Company may be assisted by any third party of its choice to carry out vulnerability audits or penetration tests at the intervals it deems necessary. The Company undertakes, in the event of a change in the means of ensuring the security and confidentiality of personal data, to replace them with means of superior performance. No change may lead to a reduction in the level of security.
17. Data breach
In the event of a personal data breach, and unless the breach in question is not likely to result in a risk to your rights and freedoms, the Company undertakes to notify the CNIL in accordance with the conditions prescribed by the applicable regulations. If the said breach poses a high risk to you and the data has not been protected, the Company :
will notify you;
will provide you with the necessary information and recommendations.
18. Register of treatments
The Company has a processing register.
This policy may be modified or amended at any time in the event of changes in the law, case law, decisions and recommendations of the CNIL or practices. Any new version of this policy will be made available to you online on the Site or on the Applications.