1. Recitals
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on their free movement, otherwise known as the General Data Protection Regulation (hereinafter GDPR) sets out the legal framework applicable to the processing of personal data.
The GDPR reinforces the rights and obligations of data processors, data controllers, data subjects and data recipients.
As part of its business, EIDER is required to process personal data of its customers and prospects.
For a clear understanding of this policy, it is stated that:
the 'data controller’, i.e. EIDER
the ‘processor': refers to any natural or legal person who processes personal data on behalf of EIDER
the 'concerned persons': refers to customers and/or prospective customers of EIDER
the ‘recipients': refers to natural or legal persons who receive personal data from EIDER
The recipients of the data may therefore be EIDER employees as well as external organisations (partners, banks, IT service providers, etc.)
Article 12 of the GDPR requires that data subjects be informed of their rights in a concise, transparent, comprehensible and easily accessible manner.
2. PURPOSE
The purpose of this policy is to meet EIDER's obligation to provide information and to formalise the rights and obligations of EIDER's customers and prospects with regard to the processing of their personal data.
3. SCOPE
This policy is to be applied within the framework of the implementation of all processing of personal data relating to customers and/or prospects of EIDER.
EIDER does its utmost for data to be processed under a precise internal governance. This policy applies only to processing for which EIDER is the controller and therefore does not apply to processing that would be created or operated outside the rules of governance set by EIDER (processing known as ‘wild' or shadow IT).
The processing of personal data may be managed directly by EIDER or through a subcontractor specifically appointed by EIDER.
This policy is unrelated to any other document that may apply within the contractual relationship between EIDER and customers and prospects.
4. GENERAL PRINCIPLES & DATA COLLECTION
No processing is carried out by EIDER regarding customer and prospects data if it does not concern personal data collected by or for its services or processed in relation to its services and if it does not comply with the general principles of the GDPR.
EIDER may use it in the following ways:
Games & prize draws
Any game intended or not intended to win a prize for EIDER's customers or prospects. It may be carried out online or offline. Directly by EIDER or its partners. The data collected are generally those necessary for the identification of participants and the granting of prizes.
Push media
Any commercial action, commercial follow-up.
Marketing, generally by e-mail, SMS, telephone, etc. Data is collected on an opt-in or opt-out basis, depending on use.
Events
Physical events organized by EIDER or in which EIDER participates or sponsors. The data is generally collected at the time of registration for the event (directly or via a partner) or during the event itself (newsletter, survey, business card, dedicated mobile applications, etc.).
Social media
Any social selling operation, in particular the gathering of data relating to registrations, posts, likes, replies and forwards, comments, reviews, etc.
Communities
Any social gathering organized by EIDER or on its behalf and dedicated to it.
This list is intended to be as exhaustive as possible. Any new case of use, modification or deletion of an existing processing operation will be brought to the attention of customers and prospects by an amendment to this policy.
5. TYPES OF DATA COLLECTED
NON-TECHNICAL DATA
Identification data (last name, first name, etc.)
Contact details (postal address, e-mail address, telephone number, etc.)
Personal and/or professional life, when necessary (civil status, professional status)
Economic and financial information (bank details, etc.)
Transaction data (shopping basket, amount and date of transactions, etc.)
Photograph/image
TECHNICAL DATA
Connection data (IP address, logs, etc.)
Browsing data (cookies, tracers, audience measurement, clicks, etc.)
6. DATA ORIGINS
Data relating to customers or prospects is generally collected directly from them (direct collection) by EIDER.
Data may also be collected indirectly:
- via specialised companies (purchase or rental of base) or via EIDER's partners and suppliers. In this case, EIDER takes great care to ensure the quality of the data it receives
- via sponsorship. In this case, the sponsor ensures that they can communicate the person's data to EIDER
7. PURPOSES AND LEGAL BASES
Depending on the case, EIDER processes your data for the following purposes and on the following legal bases:
Purpose Pre-contractual exchanges Contract and contract follow-up Invoicing, payment and bookkeeping Management of customer and prospect directory Organisation of events Sending newsletters and managing requests to unsubscribe Service improvement and satisfaction surveys Behavioural analysis and audience measurement Community management Video surveillance Production of statistics
|
Comments EIDER processes the data of individuals who interact with it before the signing of a contract. EIDER processes the data of its customers in the context of monitoring contractual relations (eg. online shopping). EIDER processes the data of its customers as part of the billing and payment of orders placed. EIDER maintains a directory of its customers and prospects. EIDER processes the data of its customers and prospects when it invites them to events that it organizes. EIDER sends its customers and prospects newsletters to which they can unsubscribe. EIDER may process the data of its customers and prospects in order to improve its services, including through customer satisfaction surveys. EIDER may process data to analyse the behavior of its customers and prospects and monitor their online activity. EIDER collects and processes the data of its customers and prospects in order to maintain its communities on the Internet, particularly on social media. Certain specific areas of EIDER's offices and shops are subject to video surveillance. EIDER is likely to make statistics regarding the data of its customers and prospects.
|
Legal framework - Execution of pre-contractual measures - Execution of contractual measures - Execution of contractual measures - Legitimate interest - Legitimate interest - Legitimate interest (customers) - Consent (prospects) - Legitimate interest - Legitimate interest or consent where necessary - Legitimate interest - Legitimate interest - Legitimate interest
|
8. DATA RECIPIENTS - AUTHORISATION & TRACEABILITY
EIDER ensures that the data is only accessible to authorised internal or external recipients.
Internal recipients
- authorised personnel in the marketing department, sales department, departments responsible for customer relations and canvassing, administrative departments, logistics and IT departments and their line managers
- authorised staff in the departments responsible for auditing (statutory auditors, departments responsible for internal audit procedures, etc.)
External recipients
- partners (including payment management partners), external companies or subsidiaries of the same group of companies
- organisations, court officers and public officials, as part of their debt collection duties
- authorised staff of subcontractors
The recipients of customer and prospective customer personal data within EIDER are subject to an obligation of confidentiality.
EIDER decides which recipient may have access to which data according to an authorisation policy.
All access to processing of personal data of customers and prospects is subject to a traceability measure.
Personal data may also be communicated to any authority legally authorised to have access thereto. In this case, EIDER is not responsible for the conditions under which the staff of these authorities have access and use the data.
9. Storage period
The duration of data storage is defined by EIDER with regard to the legal and contractual constraints imposed on it and, if not, according to its needs and in particular according to the following principles:
Processing Contracts with customers Commercial correspondence (order slips, delivery notes, invoices, etc.) Data processed for marketing purposes Images from video surveillance cameras Access to buildings Technical data Bank details |
Storage period 5 years from the date of signing. 10 years for contracts over 120 euros signed electronically. 10 years from the end of the financial year. For customers: 3 years from the end of the commercial relationship (from the end of a contract) or from the last contact from the customer. For prospects: 3 years from the date of collection or the last contact from the prospect (documentation request, clicking on a link in an email, etc.). For a maximum period of one month. For a maximum period of one month. 1 year from the date of collection. Deleted as soon as the transaction is completed, unless the customer expressly agrees. If the transaction is disputed: storage for 13 months following the debit date.
|
After the set deadlines, the data is either deleted or kept after being anonymised, in particular for statistical purposes. It may be kept for pre-litigation and litigation purposes.
Customers and prospects are reminded that deletion or anonymisation are irreversible operations and that EIDER is no longer able to restore them.
10. RIGHT OF CONFIRMATION AND RIGHT OF ACCESS
Customers and prospects have the right to ask EIDER to confirm whether or not data concerning them are processed.
Customers and prospects also have a right of access, which is subject to compliance with the following rules:
- the request must come from the individual themselves
- be made in writing to the following address EIDER, 4 Allée du Parmelan 74370 EPAGNY METZ TESSY or to the following email address, [email protected].
Customers and prospects have the right to request a copy of their personal data being processed from EIDER. However, should a request for an additional copy be made, EIDER may require customers and prospects to bear the cost of this.
If customers and prospects submit their request for a copy of the data via email, the information requested will be provided in a commonly used electronic form, unless requested otherwise.
Customers and prospective customers are informed that this right of access may not relate to information or data that is confidential or for which communication is not authorised by law.
The right of access must not be applied in an abusive fashion, i.e. on a regular basis with the sole aim of disrupting the department concerned.
11. UPDATES AND CORRECTIONS
EIDER fulfils update requests:
- automatically for online modifications to fields which, technically or legally, can be updated
- upon written request from the user, who may be required to provide identification
12. RIGHT TO ERASURE
1 - Eider has included a Trustpilot on the British, Belgian and Spanish versions of the Site. Trustpilot is a platform which collect client reviews on companies, and where Eider can get feedback and statistics on its customers' satisfaction. These reviews are verified and analyzed by Trustpilot to ensure they are genuine, and the Site is able, through the Trustpilot component, to disclose the opinions on the Site by Eider's Buyers.
Trustpilot provides its services in France through its legal entity Trustpilot A/S, registered under CVR n°30 27 65 82 and located Pilestræde 58, 5th floor, 1112 Copenhagen K, Denmark.
When you are visiting the Site, you may access Trustpilot's platform by clicking on hyperlinks included for this purpose on the Site. After your purchase, you may also receive an email from Trustpilot inviting you to leave a review on the Site or on Eider, through Trustpilot’s platform, at the email address you have given to order your purchase.
When you write a review on Trustpilot's platform, you provide Trust pilot with Personal Data (i) necessary to post a review, such as your identity (user name, access credentials), your email, your review and evaluations, or (ii) optional (public profile, order info, feedback documents, "likes"). Trustpilot also collects and processes your connection data on the review platform (IP address, browser settings, location).
You may rectify or erase your Personal Data hosted and processed by Trustpilot at any time, and in particular by deleting your account and its reviews on Trustpilot's platform, and you may also claim for your right to object Trustpilot's processing.
These Personal Data may be collected and hosted in several member states of the European Union as well as in the United States and in Australia. Trustpilot may also transfer these Personal Data to subsidiaries, service providers and data processors (including social networks) in order to comply with its contractual obligations or in order to enter into other Personal Data processing under its control and sole liability.
You may access Trustpilot's privacy policy at:
https://legal.trustpilot.com/end-user-privacy-terms
2- Eider has included a Trusted Shops component on the French, German, Swiss, Austrian and international versions of the Site. Trusted Shops is a service allowing customers to buy on websites listed as "trusted" by Trusted Shops, to leave reviews on the reliability of these online websites, and to enjoy additional warranties linked to their purchases on these sites (in the event of no delivery, or when the non-compliant product or service is returned, the customer is fully reimbursed up to €2,500).
Trusted Shops provides its service in France through its subsidiary Trusted Shops France SARL à associé unique, registered with Amiens trade and company registry under no.825345655, and located at 660 route d'Amiens, 80480 Dury, France. Its website and its pages on social networks are managed by Trusted Shops GmbH, registered with Koln's lower civil court in Germany under no.32735, and located at Subbelrather Straβe 15c, 50823 Koln, Germany.
When the Site uses the services of Trusted Shops, the Personal Data of the order or each Buyer are transferred to Trusted Shops, with the Buyer's authorization, or in order to provide the Buyer with the additional contractual warranty. Trusted Shops also collects directly Personal Data relating to each visitor's browsing (browser, date, time, IP address and connection information) on the Site.
When you buy on the Site, you may be invited by Eider or by Trusted Shops to leave a review on the Site or on Eider through Trusted Shops online platform. If you write a review to Trusted Shops, you provide Trusted Shops with Personal Data related to your identity, your contact details, your reviews and evaluations and your order information (which will be correlated with the products you purchased on Eider's Site). Trusted Shops also collects and processes your connection data on its review platform.
Trusted Shops does not collect any Personal Data on the Site if you do not buy products benefitting from Trusted Shops warranty and if you do not reply to Trusted Shops' invitation to leave a review on Trusted Shops platform. You may also rectify or erase your Personal Data as hosted and processed by Trusted Shops, if they are not required for further processing, and you may claim the application of your rights to limit or object to Trusted Shops' processing (including direct marketing processing).
Trusted Shops uses a third-party payment service provider located in a country outside of the European Union as well as credit agencies located in Germany. In particular, the hosting service providers of its websites are located in Germany and in the United States. Any transfer to a service provider located in the United States is conditioned to its certification to the EU-US Privacy Shield. Moreover, Trusted Shops entered into standard contractual clauses as set by the European Commission as international transfer framework.
You may read Trusted Shops' privacy policy at:
https://business.trustedshops.co.uk/imprint
3- Eider subscribes to the FEVAD code of ethics, and uses the FEVAD's services in order to get analytics as well as an ombudsman service between Eider and consumers. Using an ombudsman is a mandatory required for Eider’s Site pursuant to several French and European laws and regulations. When a complaint meets the conditions set by law for mediation, the FEVAD's ombudsman may be contacted by the web user of by Eider.
The Fédération du e-commerce et de la vente à distance is a nonprofit association under the French law of 1901, which purpose is to ensure ethical and sustainable development of online commerce and remote sales in France. It is located at 60 Boétie Street, 75008 Paris, and registered under SIREN no.784 854 994 (phone number +331 4731 8541, [email protected]).
In this mediation system, Eider may provide the FEVAD with the Personal Data related to the identity, the contact details, the contracts, orders and exchanges between the Buyer and Eider, along with any relevant information considering the specifics of the litigation (product, price, discount, payment, shipping, reimbursement, compliance with warranties, etc.). Personal Data transferred for the purposes of analytics are anonymized in order to present aggregated results, and are not retained by the FEVAD.
The FEVAD ombudsman may transfer the case to sectorial mediation centers for some products / services. You may put an end to the mediation at any time or by refusing the settlement offer. The FEVAD will keep information on your mediation until the applicable statutes of limitations expire.
The FEVAD undertook to apply the highest level of confidentiality to all Personal Data received for the purposes of analytics or ombudsman services.
13. RIGHT TO LIMITATION
Customers and prospects are informed that this right is not intended to apply insofar as the treatment operated by EIDER is lawful and that all personal data collected are necessary for the execution of the business contract.
14. RIGHT TO DATA PROCESSING
EIDER gives the right to data processing in the particular case of data communicated by customers or prospects themselves, on online services offered by EIDER itself and for purposes based solely on the consent of individuals. In this case, the data will be communicated in a structured, commonly used and computer-readable format.
15. AUTOMATED INDIVIDUAL DECISION
EIDER does not make individual automated decisions.
16. POST MORTEM RIGHTS
Customers and prospects are informed that they have the right to give instructions regarding the conservation, deletion and disclosure of their post-mortem data. Any specific post-mortem directives and the exercise of their rights may be submitted in writing to Snowleader, 4 Allée du Parmelan 74370 EPAGNY METZ TESSY or via e-mail to [email protected].
17. OPTIONAL OR COMPULSORY NATURE OF RESPONSES
Customers and prospects are informed on each personal data collection form whether responses are compulsory or optional by means of an asterisk.
If answers are compulsory, EIDER shall explain to customers and prospects the consequences of a lack of response.
18. RIGHT OF USE
EIDER is granted by customers and prospects a right to use and process their personal data for the purposes set out above.
However, the enhanced data, which are the result of processing and analytical work by EIDER, remain the exclusive property of EIDER (analysis of use, statistics, etc.).
19. OUTSOURCING
EIDER informs its customers and prospects that it may involve any subcontractor of its choice in the processing of their personal data.
In this case, EIDER ensures that the subcontractors complies with its obligations under the GDPR. EIDER agrees to sign with all its subcontractors a written contract. EIDER also reserves the right to audit its subcontractors to ensure compliance with the GDPR.
20. SECURITY
It is the responsibility of EIDER to define and implement the technical, physical or logical security measures it deems appropriate to protect against the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of data.
These measures mainly include
- management of access rights to data
- the use of a security protocol or solutions
21. DATA BREACH
In case of breach of personal data, EIDER will notify the CNIL, French Data Protection Agency, under the conditions prescribed by the GDPR.
If the breach poses a high risk to customers and prospects and the data has not been protected, EIDER:
- will notify the customers and prospects concerned
- will provide the customers and prospects concerned with the necessary information and recommendations
22. CONTACT
If customers or prospective customers wish to obtain information or ask a specific question, they can do so by using the following contact details:
- E-mail address: [email protected]
- Tel: 0872 442 8953
In the event of a problem with the processing of personal data, customers and prospects may also contact EIDER via the aforementioned contact details.
23. DATA PROCESSING REGISTER
As data controller, EIDER undertakes to keep an up-to-date register of all processing activities carried out.
This register is a document or software that allows to list all the processing carried out by EIDER, as data controller.
EIDER undertakes to provide to the supervisory authority, upon first request, the information enabling the said authority to verify the compliance of the processing with the applicable data protection regulations.
24. RIGHT TO LODGE A COMPLAINT WITH THE CNIL
Customers and prospects who wish to complain about the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the CNIL, French Data Protection Agency, in France, if they consider that the processing of their personal data does not comply with European data protection regulations, at the following address:
CNIL - Complaint Department
3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07
Tel: 01 53 73 22 22
25. EVOLUTION
The present policy may be amended or modified at any time in case of legal or jurisprudential evolution, decisions and recommendations of the CNIL or practices.
Any new version of the present policy will be brought to the attention of customers and prospects by any means defined by EIDER, including electronic means (via e-mail or online for example).
26. FOR FURTHER INFORMATION
For further information, please contact the following departments: [email protected].
For any other general information on the protection of personal data, please consult the CNIL website www.cnil.fr.