1. General Provisions
Preamble
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on data protection (hereinafter “GDPR”) sets the legal framework applicable to the processing of personal data. This text strengthens the rights and obligations of data controllers, processors, data subjects, and data recipients.
Subsequently, to implement the changes of the GDPR, Law No. 78-17 of 6 January 1978, known as the “Data Protection Act” (Loi Informatique et Libertés), was amended by Law No. 2018-493 of 20 June 2018 and Order No. 2018-1125 of 12 December 2018.
This charter is implemented by the Regional Tourism Board of Nouvelle-Aquitaine (Comité Régional de Tourisme de Nouvelle-Aquitaine, hereinafter “CRTNA”). Our association, governed by the Law of 1901, contributes to the implementation of the tourism policy established by the Regional Council of Nouvelle-Aquitaine. Its primary missions include observation, tourism organization, and the promotion of the region at national and international levels.
CRTNA manages the regional tourism information systems (LEI and SIRTAQUI) with its departmental partners. Together, they contribute to the deployment of these tools within the regional network of tourism offices.
In the course of our activities, we process personal data related to our partners, clients, and prospects. For a clear understanding of this charter:
- Partners are defined as any natural or legal person operating in the tourism sector, belonging to our association and/or maintaining a relationship with our organization (e.g., regional tourism professionals, project developers, investors, travel distributors, local authorities).
- Clients are defined as any natural or legal person engaged under a contract of any nature with our organization, whether they are tourism professionals or the general public.
- Prospects are defined as any potential client or contact receiving promotional messages from our organization whose data was collected directly via contact forms or events, or indirectly via any partner.
Subject and Scope
This Data Protection Charter applies to the processing of personal data of our partners, clients, and prospects. Its purpose is to satisfy our organization’s information obligation and to formalize the rights and obligations regarding the processing of data.
This charter only covers data processing for which we are the Data Controller and “structured” data. Processing may be managed directly by our organization or through a specifically designated sub-processor.
This charter is independent of any other document applicable to the contractual relationship with our partners, clients, and prospects. We only process data collected by or for our services that complies with the general principles of the GDPR. Any new processing or modification will be communicated through an update of this charter.
2. Partner Data
Types of Data Collected
- Non-technical data: Identity (name, surname, date of birth, alias), contact details (email, postal address, phone number), professional life (function, job title), banking details (RIB or IBAN), and health data if necessary (e.g., during familiarization tours/eductours).
- Technical data: Identification data (IP address), connection data (logs, tokens), acceptance data (clicks), and location data.
Origin of Data
Data is collected directly from partners via electronic forms, extranet entries, or subscriptions to our online services (newsletters, social media).
Purposes (Finalities)
- Partner relationship management;
- Labelling of sites and facilities (e.g., Villes et Villages Fleuris);
- Tourism engineering (diagnostics, feasibility studies, subsidy applications);
- Networking and consultation between partners;
- Market placement assistance for partner providers;
- Management of events (trade fairs, workshops, etc.);
- Training operations and distributor research;
- Statistical analysis.
Retention Periods
- Client/Partner data: For the duration of the contractual relationship, plus 3 years for promotion and prospecting purposes.
- Technical data: 1 year from collection.
- Cookies: 13 months.
- Once these periods expire, data is either deleted or anonymized.
Legal Basis
The legal basis is the performance of contractual/pre-contractual measures or our public interest mission.
3. Client Data
Types of Data Collected
- Non-technical data: Identity (name, surname, alias, client number), contact details, banking details, and professional/personal life data when necessary.
- Technical data: IP address, logs, tokens, clicks, and location.
Origin of Data
Data is provided via paper forms, purchase orders, contracts, online entries (websites, social media), event registrations, shared partner databases, or occasionally through specialized third parties.
Purposes (Finalities)
- Client relationship management and sales of tourism packages;
- Event management and newsletter distribution;
- Account management and service improvement;
- Administrative obligations and community management;
- Statistical analysis.
Legal Basis
Performance of a contract, pre-contractual measures, or, in some cases, the client’s consent (e.g., commercial prospecting).
4. Prospect Data
Types of Data Collected
- Identity and contact details: Name, surname, birth date, alias, email, address, phone.
- Technical data: IP address, logs, tokens, clicks, and location.
Purposes (Finalities)
- Prospect relationship and event management;
- Newsletter distribution and website animation;
- Promotion of the organization/tourism on social media;
- Behavioral analysis and community management;
- Statistical analysis.
Retention Periods
- Prospect data: 3 years from collection or the last contact from the prospect.
Legal Basis
Pre-contractual measures, the legitimate interest of our organization, or consent where required by law.
5. Data Recipients
Data is only accessible to authorized internal or external recipients subject to confidentiality obligations.
- Internal: Authorized personnel (marketing, CRM, administrative, IT) and their managers.
- External: Tourism partners accessing shared files, service providers, auditors, and legal authorities if required.
6. Rights of Individuals
- Right of Access and Copy: You may request confirmation of whether your data is being processed and obtain a copy. We may request proof of identity to prevent fraud.
- Right to Update and Rectify: You may update your information online or via written request.
- Right to Erasure (Right to be Forgotten): Applicable if data is no longer necessary, consent is withdrawn, or processing is unlawful (unless required by a legal obligation).
- Right to Portability: Applicable to data you provided yourself for automated processing based on consent or contract.
- Automated Individual Decision-making: We do not perform any automated decision-making.
- Post-mortem Rights: You have the right to provide instructions regarding the retention or deletion of your data after your death.
7. Additional Provisions
- Mandatory vs. Optional: Mandatory fields in forms are marked with an asterisk (*).
- Sub-processing: We ensure all sub-processors comply with GDPR through written contracts and audits.
- Cross-border Flows: If data is transferred outside the EU, we will ensure appropriate safeguards (e.g., standard contractual clauses).
- Record of Processing Activities: As a Data Controller, we maintain a detailed register of all processing activities.
8. Security
We implement technical and logical security measures to prevent data destruction, loss, or unauthorized disclosure. In the event of a data breach, we will notify the CNIL and, if the risk is high, the affected individuals.
9. Contacts
Data Protection Officer (DPO)
We have appointed a DPO/GDPR referent reachable at: dpo@na-tourisme.com.
Right to Lodge a Complaint with the CNIL
If you believe the processing of your data does not comply with regulations, you may file a complaint with the French Data Protection Authority: CNIL – Service des plaintes 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07, France.
Evolution
This charter may be modified at any time to reflect legal or regulatory changes.