PRIVACY POLICY
Object
This Policy is established by JELIC, whose registered office is 66 Avenue des Champs-Élysées, 75008 Paris under the Siren number: 447 820 150
(hereinafter referred to as "the controller").
The purpose of this Policy is to inform visitors to the website hosted at the following address: https://christina-paris.com
(hereinafter referred to as the "website") of the way in which the data is collected and processed by the controller.
This Policy is in line with the desire of the data controller to act in complete transparency, in compliance with its national provisions and with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the "General Data Protection Regulation").
The controller pays particular attention to the protection of the privacy of its users and therefore undertakes to take the reasonable precautions required to protect the personal data collected against loss, theft, disclosure or misuse. unauthorized use.
“Personal data” is defined as all personal data relating to the user, i.e. any information that allows him to be identified directly or indirectly as a natural person.
If the user wishes to react to one of the practices described below, he can contact the data controller at the postal address or at the email address specified in the "contact details" section of this Policy.
What data do we collect?
The controller collects and processes, according to the methods and principles described below, the following personal data:
its domain (automatically detected by the controller's server), including the dynamic IP address;
his e-mail address if the user has previously revealed it, for example by sending messages or questions on the website, by communicating with the data controller by e-mail, by participating in discussion forums, by accessing the restricted part of the website by identification, or by transmitting it voluntarily when subscribing to the newsletter. ;
all the information concerning the pages that the user has consulted on the website;
any information that the user has given voluntarily, for example in the context of information surveys and/or registrations on the website, or by accessing the restricted part of the website by means of identification. (e-mail addresses)
The data necessary to carry out loyalty, prospecting, study, survey, product test and promotion actions;
Data relating to the contributions of people who submit opinions on products, services or content, in particular their pseudonym;
It is possible that the data controller may also collect non-personal data. These data are qualified as non-personal data because they do not directly or indirectly identify a particular person. They may therefore be used for any purpose whatsoever, for example to improve the website, the products and services offered or the controller's advertisements.
In the event that non-personal data are combined with personal data, so that identification of the persons concerned is possible, these data will be treated as personal data until their reconciliation with a particular person is made impossible.
Collection methods
The controller may collect personal data as follows:
Web form (registration, purchase, contact etc.)
Contact e-mail e-mail
Purposes of processing
Personal data is only collected and processed for the purposes mentioned below:
Concerning simple Internet users:
Carry out operations relating to prospecting:
the management of technical prospecting operations (which notably includes technical operations such as standardization, enrichment and deduplication);
the selection of people to carry out loyalty, prospecting, survey, product testing and promotion actions;
carrying out solicitation operations;
The development of trade statistics;
The transfer, rental or exchange of its customer files and its prospect files;
The updating of its prospecting files by the organization in charge of managing the list of opposition to canvassing, in application of the provisions of the Consumer Code;
The organization of contests, lotteries or any promotional operation, excluding online gambling and gambling subject to the approval of the Online Gaming Regulatory Authority;
Invitations to ceremonies of institutional vows, to events organized by JELIC (conference hall, etc.)
Sending the newsletter,
Management of requests for the right of access, rectification and opposition;
The management of people's opinions on products, services or content.
Management of requests made on the JELIC website via the contact form
Regarding customers:
Carry out operations relating to customer management concerning: contracts; the orders ; the deliveries ; the bills ; accounting and in particular the management of customer accounts; a loyalty program within one or more legal entities; monitoring customer relations such as conducting satisfaction surveys, managing complaints and after-sales service; the selection of customers to carry out studies, surveys and product tests.
Newsletter management (Subscription management)
Management of requests for the right of access, rectification and opposition;
The management of unpaid bills and litigation, provided that it does not relate to offenses and/or that it does not lead to the exclusion of the person from the benefit of a right, a service or a contract ;
The controller may be required to carry out processing that is not yet provided for in this Policy. In this case, he will contact the user before reusing his personal data, in order to inform him of the changes and give him the possibility, if necessary, of refusing this reuse.
Legitimate interests
Some of the processing carried out by the controller is based on the legal basis of the latter's legitimate interests. These legitimate interests are proportionate to respect for the rights and freedoms of the user. If the user wishes to be informed of the details of the purposes based on the legal basis of legitimate interests, he is recommended to contact the data controller (see point relating to "contact data").
Consent
Some of the processing carried out by the data controller is based on the legal basis of consent. In this case, the newsletter. At any time you have the possibility to withdraw this consent either by unsubscribing directly in the emails you receive or by contacting us (see Contact data)
Contract
Some of the processing carried out by the controller is based on the legal basis of the contract. In this case, account creations on the website.
The duration of the conversation
In general, the controller only retains personal data for the time reasonably necessary for the purposes pursued and in accordance with legal and regulatory requirements.
Concerning customers (see customer information)
A customer's personal data is kept for a maximum of 10 years after the end of the contractual relationship between this customer and the controller.
At the end of the retention period, the controller makes every effort to ensure that the personal data has been made unavailable and inaccessible.
About prospects
Personal data relating to a non-customer prospect may be kept for a period of three years from their collection by the data controller or the last contact from the prospect.
At the end of this three-year period, the data controller may contact the data subject again to find out if he wishes to continue to receive commercial solicitations. In the absence of a positive and explicit response from the person, the data must be deleted or archived in accordance with the provisions in force, and in particular those provided for by the Commercial Code, the Civil Code and the Consumer Code.
In the event of exercise of the right of access or rectification, data relating to identity documents may be kept for the period provided for in Article 9 of the Code of Criminal Procedure (i.e. one year). In the event of exercise of the right of opposition, these data may be archived during the limitation period provided for in Article 8 of the Code of Criminal Procedure (i.e. three years).
Regarding the retention period of cookies
The consent to be followed may be forgotten by the people who expressed it at a given moment, the CNIL considers it necessary to limit the scope of the latter in time.
It recommends that the period of validity of consent to the deposit of Cookies be extended to a maximum of 13 months. At the end of this period, the consent must be obtained again.
Consequently, cookies must therefore have a lifespan limited to thirteen months after their first deposit in the user's terminal equipment (following the expression of consent)
Their lifespan should not be extended during new visits to the site.
Regarding bank card data:
Data relating to bank cards are deleted once the transaction has been carried out, that is to say as soon as its effective payment, which may be deferred upon receipt of the goods, increased, if necessary, by the withdrawal period provided for in the contracts. concluded remotely and off premises, in accordance with Article L. 221-18 of the Consumer Code.
In the case of payment by credit card, the card number and the date of validity thereof may be kept for the purpose of proof in the event of any dispute over the transaction, in intermediate archives, for the duration provided for in Article L. 133-24 of the Monetary and Financial Code, in this case thirteen months following the debit date. This period may be extended to fifteen months in order to take into account the possibility of using deferred debit payment cards. These data are used only in the event of dispute of the transaction.
Data relating to bank cards may be kept longer subject to obtaining the express consent of the customer, previously informed of the objective pursued (for example, to facilitate the payment of regular customers). The storage period cannot then exceed the period necessary to achieve the purpose of the processing.
In general, data relating to the visual cryptogram is not kept beyond the time necessary to carry out each transaction, including in the event of successive payments or retention of the card number for subsequent purchases.
When the expiration date of the credit card is reached, the data relating to it is deleted.
Application of rights
For all the rights listed below, the data controller reserves the right to verify the identity of the user for the application of the rights listed below.
This request for additional information will be made within one month from the introduction of the request by the user.
Data Access and Copy
The user can obtain the written communication or a copy of the personal data concerning him that has been collected free of charge.
The controller may require payment of a reasonable fee based on administrative costs for any additional copies requested by the user.
When the user submits this request electronically, the information is provided in a commonly used electronic form, unless the user requests otherwise.
Unless otherwise provided by the general data protection regulations, the copy of his data will be communicated to the user no later than one month after receipt of the request.
Right of rectification
The user can obtain free of charge, as soon as possible and at the latest within one month, the rectification of his personal data which would be inaccurate, incomplete or irrelevant, as well as complete them if they prove to be incomplete. .
Unless otherwise provided by the general data protection regulations, the request for application of the right to rectification is processed within one month of the introduction thereof.
Right to object to processing
The user may at any time, for reasons relating to his particular situation, object free of charge to the processing of his personal data, except when:
the processing is necessary for the performance of a task in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject which require protection of personal data prevail (in particular where the data subject is a child).
The controller may refuse to implement the user's right of opposition when he establishes the existence of compelling and legitimate reasons justifying the processing, which take precedence over the interests or the rights and freedoms of the user. , or for the establishment, exercise or defense of legal claims. In the event of a dispute, the user may lodge an appeal in accordance with the point "complaints and complaints" of this Policy.
The user may also, at any time, object, without justification and free of charge, to the processing of personal data concerning him when his data is collected for commercial prospecting purposes (including profiling).
When personal data is processed for scientific or historical research purposes or for statistical purposes in accordance with the general data protection regulations, the user has the right to object, for reasons relating to his particular situation. , to the processing of personal data concerning him, unless the processing is necessary for the performance of a task in the public interest.
Unless otherwise provided by the general data protection regulations, the controller is required to respond to the user's request as soon as possible and at the latest within one month and to justify his response when he intends not to comply with such a request.
Right to restriction of processing
The user can obtain the limitation of the processing of his personal data in the cases listed below:
when the user disputes the accuracy of data and only for the time that the controller can control it;
when the processing is unlawful and the user prefers the limitation of the processing to erasure;
when, although it is no longer necessary for the pursuit of the purposes of the processing, the user needs it for the recognition, exercise or defense of his rights in court;
for the time necessary to examine the merits of a request for opposition submitted by the user, in other words the time for the controller to verify the balance of interests between the legitimate interests of the controller and those of the user.
The controller will inform the user when the restriction of processing is lifted.
Right to erasure (right to be forgotten)
The user can obtain the erasure of personal data concerning him, when one of the following reasons applies:
the data is no longer necessary for the purposes of the processing;
the user has withdrawn their consent to their data being processed and there is no other legal basis for the processing;
the user opposes the processing and there is no overriding legitimate reason for the processing and/or the user exercises his specific right of opposition in relation to direct marketing (including profiling);
the personal data has been unlawfully processed;
the personal data must be erased to comply with a legal obligation (under Union law or Member State law) to which the controller is subject;
the personal data have been collected in connection with the provision of information society services aimed at children.
However, the erasure of data is not applicable in the following cases:
when the processing is necessary for the exercise of the right to freedom of expression and information;
when the processing is necessary to comply with a legal obligation which requires the processing provided for by Union law or by the law of the Member State to which the controller is subject, or to perform a task in the public interest or falling within the exercise of public authority vested in the person responsible;
when the processing is necessary for reasons of public interest in the field of public health;
when the processing is necessary for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes and insofar as the right to erasure is likely to render impossible or seriously compromise the achievement of the purposes of the processing in question;
when the processing is necessary for the establishment, exercise or defense of legal claims.
Unless otherwise provided by the general data protection regulations, the controller is required to respond to the user's request as soon as possible and at the latest within one month and to justify his response when he intends not to comply with such a request.
Right to “data portability”
The user may at any time request to receive his personal data free of charge in a structured, commonly used and machine-readable format, in particular with a view to transmitting them to another controller, when:
the data processing is carried out using automated methods; and when
the processing is based on the user's consent or on a contract concluded between the user and the controller.
Under the same conditions and according to the same methods, the user has the right to obtain from the controller that the personal data concerning him be transmitted directly to another controller of the processing of personal data, provided that this is technically possible.
The right to data portability does not apply to processing that is necessary for the performance of a task in the public interest or in the exercise of official authority vested in the controller.
Data recipients and disclosure to third parties
Internal recipients
The recipients of the data are only the personnel authorized by the JELIC company in charge of security and the "commercial" relationship.
Subcontractors
The people outside the company with access to the data are the various hosts as well as our IT service providers.
In the context of promotional mailings (newsletter), we use MAILCHIMP, which certifies its compliance with the privacy shield.
The recipients of the data collected and processed are, in addition to the data controller himself, his employees or other subcontractors, his carefully selected business partners, located in France or in the European Union, and who collaborate with the data controller. processing in the context of the marketing of products or the provision of services.
In the event that the data is disclosed to third parties for the purposes of direct marketing or commercial prospecting, the user will be informed beforehand so that he can choose to accept the transfer of his data to third parties.
As soon as this transfer is based on the user's consent, the latter may, at any time, withdraw his consent for this specific purpose.
The data controller complies with the legal and regulatory provisions in force and will in all cases ensure that its partners, employees, subcontractors or other third parties having access to this personal data comply with this Policy.
The data controller discloses the user's personal data in the event that a law, legal procedure or order from a public authority makes such disclosure necessary.
Security
The controller implements the appropriate technical and organizational measures to guarantee a level of security of the processing and the data collected with regard to the risks presented by the processing and the nature of the data to be protected adapted to the risk. It takes into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks for the rights and freedoms of users.
The controller always uses encryption technologies that are recognized as industry standards within the IT sector when transferring or receiving data on the website.
The data controller has implemented appropriate security measures to protect and prevent the loss, misuse or alteration of the information received on the website.
In the event that the personal data that the controller controls should be compromised, he will act quickly to identify the cause of this violation and take the appropriate remedial measures.
The data controller informs the user of this incident if the law obliges him to do so.
Claim and Complaint
If the user wishes to react to one of the practices described in this Policy, it is advisable to contact the data controller directly.
The user can also lodge a complaint with his national supervisory authority, you can send a complaint online to the CNIL or by post:
National Commission for Computing and Liberties (CNIL)
3 Place de Fontenoy
TSA 80715
75334 Paris cedex 07
Tel: +33 1 53 73 22 22
In addition, the user has the possibility of lodging a complaint before the competent national courts.
Contact data
For any questions and/or complaints relating to this Policy, the user may contact the data controller:
By email: GDPR@cristina-paris.com
By mail :
JELIC
66 Avenue des Champs-Élysées
75008 Paris
Amendment
The controller reserves the right to modify the provisions of this Policy at any time. The changes will be published directly on the controller's website.
Applicable law and competent jurisdiction
This Policy is governed by the national law of the main place of establishment of the controller.
Any dispute relating to the interpretation or execution of this Policy will be subject to the jurisdictions of this national law.
This version of the Policy is dated 01/06/2019.