Search

Free delivery in Relay Points for orders over €75 (in mainland France)

Devise

PRIVACY POLICY


CONTENTS

1. GENERAL PROVISIONS

1.1. Preamble

1.2. Definitions

1.3. Purpose 

1.4. General principles 

2. IDENTIFICATION OF PROCESSING

2.1. Categories of data collected and origin of data

2.2. Purposes of processing

2.3. Retention time

2.4. Legal basis

2.5. Data recipients 

3. MANAGING PEOPLE'S RIGHTS

3.1. Right of access and right to copy

3.2. Right of rectification

3.3. Right to erasure

3.4. Right to limitation

3.5. Right to portability

3.6. Right to object

3.7. Exercise of rights by our contacts 

4. ADDITIONAL PROVISIONS

4.1. Subcontracting

4.2. Data processing register

4.3. Safety measures

4.4. Data breach 

5. CONTACTS

5.1. Data Protection Officer

5.2. Right to lodge a complaint with the CNIL

5.3. Evolution

5.4. For further information

1. GENERAL PROVISIONS 

1.1. PREAMBLE 

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter GDPR) sets out the legal framework applicable to the processing of personal data. The GDPR strengthens the rights and obligations of data controllers, data processors, data subjects and data recipients.  Subsequently, and in order to implement the changes made by the GDPR, Law no. 78-17 of 6 January 1978, known as the Data Protection Act, was amended by Law no. 2018-493 of 20 June 2018 by Order no. 2018-1125 of 12 December 2018 on data protection. The regulations applicable to the protection of personal data include the following:

  • GDPR ;
  • the French Data Protection Act (Loi Informatique et Libertés) current with the aforementioned texts;
  • CNIL recommendations. 

For a clear understanding of this policy, it is specified that :  

  • “data controller" means the natural or legal person who determines the purposes and means of processing personal data. Under this policy, the data controller is OUTDOOR ORGANIC NUTRITION SAS ; 
  • “data subjects" are persons who can be identified, directly or indirectly, by reference to personal data collected by the data controller, i.e., in the context of this policy, all OUTDOOR ORGANIC NUTRITION SAS interested parties, related to its customers and prospective customers, regardless of their status (employees or managers).

Article 12 of the GDPR requires data subjects to be informed of their rights in a concise, transparent, comprehensible and easily accessible manner. 

1.2. DEFINITIONS

  • "Personal data" means any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity;
  • "Enriched data": enriched personal data are the opposite of "raw" personal data provided by the data subject. This is data generated by the data controller. It may also involve data deduced and/or derived by the data controller on the basis of data "provided by the data subject";
  • "processing of personal data" means any operation or set of operations which is performed on personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, as well as blocking, erasure or destruction;
  • "personal data breach" means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed, or unauthorised access to said data..

1.3. PURPOSE

In order to ensure the smooth running of our business, we are required to process personal data relating to our contacts with customers, prospective customers and partners in the context of commercial relations and contracts concluded with these latter. The purpose of this policy is to fulfil our obligation to provide information and to remind our customers, prospects and partners of their rights with regard to the processing of their personal data. 

1.4. GENERAL PRINCIPLES

No processing is carried out by our company on data concerning you if it does not relate to personal data collected by or for its services or processed in connection with said services, and if it does not comply with the general principles of the GDPR.  Any new processing, modification or deletion of existing processing will be brought to the attention of our contacts with our customers and prospects by means of an amendment to this policy.  

2. IDENTIFICATION OF PROCESSING

2.1. CATEGORIES OF DATA COLLECTED AND ORIGIN OF DATA  

Data are mainly collected directly from our contacts with the customers and prospective customers of our company.  Consequently, we only collect and use the data necessary for the conclusion or performance of contracts with our company, i.e. :  

  • identity of the contact person(s) in charge of a file or contacted for canvassing purposes (e.g. title, surname, first name);
  • professional details of the contact person(s) in charge of a file or contacted for canvassing purposes (e.g. professional email, professional postal address, professional fixed or mobile telephone number, fax number);
  • professional information of the contact person(s) in charge of a file or contacted for canvassing purposes (e.g. title, level, position);
  • technical data depending on use (identification or connection data such as IP address or logs); 
  • pictures of the contact person(s) in charge of a file or contacted for canvassing purposes (e.g. title, surname, first name);

2.2. Purposes of processing

Purposes Comments
Pre-contractual exchanges We process the data of people who interact with us when we have approached the structure to which they belong for prospecting purposes or when they have contacted us to enter into a contract with us.
Contract and contract monitoring We process the data of our customer contacts as part of our contractual relationship with them.
Billing, payment and accounting We process the data of our contacts with customers and prospective customers for the purposes of invoicing and paying for orders placed.
Customer/prospect relationship management We process the data of our contacts with our customers and prospective customers in order to communicate with them in connection with questions they may ask us in connection with the current or future performance of a contract with our company.
Management of our customer and prospect directory We keep an up-to-date directory of our customers and a directory of our prospective customers, which includes the names of our main contacts.
Organisation of events by our company We process the data of our contacts with customers and prospects when we invite them to events that we organise or co-organise.
Sending newsletters or news feeds When the addresses to which we send our newsletters or news feeds are not contact addresses, we use the data of our contacts with our customers and prospects.
Third-party access management We process the data of our contacts accessing our premises in order to secure access to them (e.g. keeping a register, access badges, etc.).
Video surveillance of third-party personnel Certain specific areas of our premises, such as gates and fences, are subject to video surveillance, which results in the processing of the data of third parties likely to be filmed.
Statistical analysis We may carry out statistical analysis of our customers‘ and prospects’ data.

  

2.3. retention time

We determine the length of time we keep the data of our contacts with our customers and prospective customers in the light of the legal and contractual constraints imposed on us and, failing that, according to our needs. As a matter of principle, data relating to our customers and prospective customers must be kept for the time strictly necessary to manage the commercial relationship. More specifically, we undertake to respect the following retention periods:

Processing Retention time
Contracts with our customers 5 years from the date of conclusion 10 years for contracts concluded by electronic means costing more than 120 euros
Commercial correspondence (order forms, delivery notes, invoices, etc.) 10 years from the end of the financial year
Data processed for prospecting purposes For customers: 3 years from the end of the commercial relationship (from the end of a contract or the last contact from the customer) For prospects: 3 years from their collection by OUTDOOR ORGANIC NUTRITION SAS or the last contact from the prospect (request for documentation, click on a link in an e-mail, etc.).
Images from video protection cameras For a maximum period of one month
Access to buildings For a maximum period of one month
Technical data 1 year from collection ​
Cookies 13 months

The periods indicated in the table above are necessarily extended for the legal period of prescription as evidence in the event of litigation. In the latter case, the retention period is extended for the duration of the dispute. Once the time limits have expired, the data is either deleted or kept after being anonymised, in particular for statistical purposes. They may be kept in the event of pre-litigation or litigation. It should be noted that deletion or anonymisation are irreversible operations and that OUTDOOR ORGANIC NUTRITION SAS is not subsequently able to restore them.

2.4. Legal Basis

The processing of data relating to our contacts with customers and prospective customers as set out above is based on the following conditions of lawfulness, which differ depending on whether the processing relates to customers or prospective customers:

  • Customers : Pre-contractual or contractual performance
  • Prospects: Pre-contractual performance or legitimate interest of OUTDOOR ORGANIC NUTRITION SAS

2.5. DATA RECIPIENTS ​

Data recipients are defined as the natural or legal persons who receive personal data. Data recipients may therefore be employees of OUTDOOR ORGANIC NUTRITION SAS as well as external organisations. We ensure that the data collected and processed in the context of our relations with our customers and prospective customers is only accessible to authorised internal and external recipients, and in particular to the following recipients:

  • the staff of the departments responsible for managing relations with our customers and prospects and their line managers;
  • support staff, i.e. administrative, logistics and IT staff and their line managers;
  • our service providers or support services (e.g. IT service provider);
  • the competent authorities, should we be required to share certain data with judicial officers, departments responsible for internal control procedures, etc. ;
  • when visitors to our premises, reception staff, who collect the details of all visitors in a register.

With regard to internal recipients, we decide which recipient may have access to which data according to an authorisation policy and we ensure that they are subject to an obligation of confidentiality. With regard to external recipients, we inform you that the personal data of our contacts with our customers and prospects may be communicated to some of our service providers or to any authority legally authorised to have access to it (tax and social authorities in particular). In this case, OUTDOOR ORGANIC NUTRITION SAS is not responsible for the conditions under which the staff of these authorities have access to and use the data.

3. MANAGING PEOPLE'S RIGHTS

3.1. Right of access and right to copy

Our customers and prospective customers have the right to ask us whether we do in fact process data concerning their members (staff, managers, etc.) in the context of contracts concluded with them or prospecting messages that we send them. They may also ask us to provide them with a copy of their members' data being processed. However, in the event of a request for additional copies, we may require our customers and prospects to bear the cost of this new copy. If requests from our customers and prospects are made electronically, the information requested will be provided in a commonly used electronic form, unless otherwise requested. Our customers and prospective customers are informed that this right of access may not relate to confidential information or data or data for which communication is not authorised by law. The right of access must not be exercised in an abusive manner, i.e. on a regular basis with the sole aim of destabilising the proper performance of our services.

3.2. RIGHT OF RECTIFICATION

Our customers and prospects have the right to ask us to rectify any data concerning their personnel that may be obsolete or incorrect.

3.3. Right to erasure

Our customers may only invoke the right to erasure of their staff data in the following cases:

  • the contract has been terminated and no longer has any effect between our company and its customer;
  • members of staff whose data is processed and who are no longer employed by one of our customers and who therefore wish to be removed from our customer database.

Prospective customers may invoke the right to erasure of their personal data insofar as they have the right to object to receiving prospecting messages.

3.4. RIGHT TO LIMITATION

Our customers and prospects are informed that this right is not intended to apply insofar as the conditions required by the applicable regulations are not met with regard to our processing of the personal data of the members of their staff with whom we deal.

3.5. RIGHT TO PORTABILITY

Our customers and prospects are informed that this right is not intended to apply insofar as the conditions required by the applicable regulations are not met with regard to our processing of the personal data of the members of their staff with whom we deal.

3.6. RIGHT OF OBJECTION

Customers and prospective customers have the right to object to any commercial prospecting by post, telephone or electronic means, including profiling insofar as it is linked to such prospecting. In the specific case of canvassing by electronic means, it will be possible at any time for customers and prospective customers to object to such canvassing either by clicking on the link in the e-mail sent, or by modifying the preferences in the customer account on our website  here . By SMS, you can object to any prospecting by sending ‘stop’ to the number given in the message you receive.

 
3.7. Exercise of rights by our contacts 

To exercise their rights, our customers and prospects should contact us either in writing, by post or by e-mail at the following addresses: 13 Rue du Pré Paillard, 74940 Annecy le Vieux or at dpo-baouw@racine.eu. We do our utmost to respond to requests within a reasonable timeframe and, at best, within one month of receipt of the request. However, should the processing of requests prove complex or should we be faced with a large number of requests to exercise rights simultaneously, the processing time may be extended to two months. Translated with DeepL.com (free version)

4. ADDITIONAL PROVISIONS

4.1. SUBCONTRACTING  

We may involve any subcontractor of our choice in the processing of the personal data of our contacts with our customers and prospects. Within the meaning of the RGPD, a processor is any natural or legal person who processes personal data on behalf of the data controller. In practice, this therefore refers to service providers with whom OUTDOOR ORGANIC NUTRITION SAS works and who intervene in OUTDOOR ORGANIC NUTRITION SAS's personal data. In this case, we ensure that the processor complies with its obligations under the RGPD. We undertake to sign a written contract with all our subcontractors and impose on them the same data protection obligations that we impose on ourselves. In addition, we reserve the right to audit our subcontractors to ensure their compliance with the provisions of the RGPD.

4.2. PROCESSING REGISTER

In our capacity as data controller, we undertake to keep an up-to-date register of all processing activities carried out when required by law. This register is a document or application enabling us to list all the processing operations carried out by OUTDOOR ORGANIC NUTRITION SAS as data controller. We undertake to provide the CNIL, on first request, with the information it needs to verify that our processing complies with current data protection regulations.

4.3. SAFETY MEASURES

We implement the physical or logical technical security measures we deem appropriate to prevent the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of data. These measures mainly include:

  • data access authorization management ;
  • internal safeguard measures ;
  • identification process ;
  • conducting security audits and penetration tests ;
  • the adoption of an information systems security policy ;
  • the adoption of business continuity/disaster recovery plans;
  • the use of protocol or security solutions.

In any event, we undertake, in the event of a change in the means used to ensure the security and confidentiality of personal data, to replace them with means of superior performance. No change may lead to a reduction in the level of security.

4.4. DATA BREACH

We undertake to notify the CNIL of any data breach that we may suffer, in accordance with the conditions laid down in the regulations governing personal data. Our contacts with customers and prospects are informed of any data breach that could pose a high risk to their privacy.

5. CONTACTS

5.1. DATA PROTECTION OFFICER

We have appointed a data protection delegate who can be contacted at the following address for any questions relating to data processing: Mr Eric Barbry, 40 rue de Courcelles 75008 Paris, dpo-baouw@racine.eu. DATA PROTECTION

5.2. RIGHT TO LODGE A COMPLAINT WITH CNIL

Our contacts at our service providers have the right to lodge a complaint with a supervisory authority, namely the Cnil in France, if they consider that the processing of their personal data does not comply with European data protection regulations.

5.3. EVOLUTION

The present policy may be modified or amended at any time in the event of changes in legislation, case law, CNIL decisions and recommendations or usage. Any new version of the present policy will be brought to the attention of our customers and prospects by any means we choose, including electronically (by e-mail or online, for example).

5.4. FOR FURTHER INFORMATION

For further information, please contact our Data Protection Officer at the following e-mail address: dpo-baouw@racine.eu.Pour For more general information on the protection of personal data, please consult the Cnil website. www.cnil.fr.