Data Protection Policy - (Compliant with EU Regulation 2016/679 of 27 April 2016 (GDPR) and Act no. 78-17 of 6 January 1978)
This Data Protection Policy aims to inform Data Subjects about the processing of their personal data in the context of automated and non-automated processing, in accordance with the provisions of Law no. 78-17 of 6 January 1978 and EU Regulation 2016/679 of 27 April 2016 (hereinafter "GDPR") and other legal and regulatory provisions in force (hereinafter the "Regulations in force") relating to the protection of personal data.
The terms "Personal Data", "Controller", "Processor", "Processing", "Data Subject", "Personal Data Breach" and "Supervisory Authority" are defined as set out in Article 4 of the GDPR.
MAIN CATEGORIES OF PERSONAL DATA BEING PROCESSED
The personal data collected is as follows:
i. Prior to ordering: capture of prospects' iris (test, demonstration),
ii. When ordering :
a. Identification data (surname, first name, gender),
b. Capturing irises,
c. Contact details (postal address, e-mail address, telephone numbers)
iii. During the contractual relationship: Capture of the iris of end customers, data relating to the contractual and commercial relationship between the Data Subjects and IRIS GALERIE (e.g. subscription category, purchase history)
iv. When visiting a website of the IRIS GALERIE network: data collected by means of cookies, tracers or equivalent technical means (for more information on the management of cookies and tracers, consult the information notice relating to the management of cookies).
LEGAL INFORMATION FOR DATA SUBJECTS
The purpose of this document is to provide the Data Subjects with the legal information required, which is as follows:
(a) Identity and contact details of the Data Controller
The identity and postal address of the Data Controller are as follows:
- IRIS GALERIE, a société par actions simplifiée (simplified joint stock company) registered in the Paris Trade and Companies Register under number 897514618, with its registered office at 60 rue de la Boétie, 75008 Paris (hereinafter referred to as "IRIS GALERIE");
(b) Contact details of the Data Protection Officer
The contact details for the Data Protection Officer are as follows:
- Maître Pascal Alix, partner in AARPI VIRTUALEGIS, 5 rue Jean-Baptiste Dumas, 75017 Paris; e-mail address: email@example.com.
(c) Purposes of processing personal data
The purposes of the Processing operations for which personal data are intended are as follows:
- (i) identifying and contacting Data Subjects (end customers),
- (ii) identification of Contact Persons within the entities providing services and members of the IRIS GALERIE network,
- (iii) provision of contractual services,
- (iv) administration of contracts and customer accounts,
- (v) management of relations with contacts at service providers and members of the IRIS GALERIE network,
- (vi) sending information and/or service proposals to Data Subjects.
(d) Legal basis for Processing
The legal bases of the Processing are, depending on the Processing :
- (i) the need to carry out pre-contractual measures taken at the request of end customers before they can benefit from the contractual services (tests, demonstrations),
- (ii) the need for the execution of a contract concluded with the member entities of the IRIS GALERIE network and the end customers so that the Data Subjects can benefit from the contractual services,
- (iii) the need, for IRIS GALERIE, to pursue its legitimate interest, in particular to administer the relationship with the member entities of the IRIS GALERIE network and end customers,
- (iv) the need, for IRIS GALERIE, to comply with the legal obligations to which it is subject, in particular with regard to the exercise of rights and tax and accounting obligations.
(e) Recipients of personal data
The recipients of the personal data processed are :
- the members of IRIS GALERIE staff responsible for contractual services and the administration of relations with the member entities of the IRIS GALERIE network and with end customers,
- the members of staff of IRIS GALERIE's subcontracted and non-subcontracted service providers participating in the provision of these services such as, for example, production laboratories, transporters and IT service providers,
- and members of staff of the IRIS GALERIE network, joint or independent data controllers.
(f) Transfer of personal data outside the European Economic Area (EEA)
Data Subjects are informed that the Data Controller may, where appropriate, in particular when a service provider is located outside the E.E.E., transfer personal data to a third country that is the subject of an adequacy decision issued by the European Commission; if the recipient country is not the subject of an adequacy decision, the transfer may only be carried out on condition that appropriate safeguards are put in place and that the Data Subjects concerned by the Processing of personal data have enforceable rights and effective means of redress, under the conditions of the Regulations in force and in particular articles 46 to 49 of the GDPR.
(g) Retention period for personal data
The length of time Data Subjects' personal data is kept varies according to the purpose of the Processing and the nature of the relationship (prospect who has never entered into a contract or customer).
The table below sets out the main retention periods for personal data relating to Data Subjects:
|Data categories||Purposes||Retention Period|
|All personal data (including identification and contact data)||Creation and utilisation of a prospective client database||3 (three) years from the last contact with the prospect|
|Current and former customers|
|Identification and contact details.||Management of customer accounts, credentials, orders, invoicing, and payments. Dissemination of information on offer developments.||For the entire duration of the contractual relationship (as long as the Data Subjects have not expressed their intention to no longer have their personal data stored), up to a maximum of 3 years from the last order for services and/or documents placed by the Data Subjects.|
|Data relating to the performance of the contract.||Management of customer accounts, orders, invoicing, and payments.||10 years from the last order for services and/or documents placed by the Data Subjects.|
|Capturing irises.||Production of the works.||24 hours in active base.|
|Data relating to the exercise of a right by a Data Subject.||Fulfillment of obligations under Article 15 et seq. of the GDPR.||The data is kept for the calendar year of the request, plus five years.|
|Contacts at processors and other partners|
|Identification and contact details.||Management of customer accounts, orders, invoicing, and payments. Dissemination of information on offer developments.||For the duration of the contractual relationship (as long as the Data Subjects have not expressed their intention not to have their personal data retained), up to a maximum of 3 years from the last contact in the context of the last contractual relationship.|
(h) Rights of Data Subjects that may be exercised with the Controller (as identified above)
With regard to the legal basis for the Processing, which includes in particular that of consent, the Data Subject has the following rights, under the conditions laid down by the Regulations in force:
- access to personal data;
- rectification of inaccurate or incomplete personal data;
- erasure of such data, in particular when it is no longer necessary for the purposes of the Processing or when the Data Subject has withdrawn their consent or when the Processing is unlawful, subject to legal retention obligations;
- restriction on the Processing of their personal data when the accuracy of the data is being verified following a challenge by the Data Subject, when the Processing is unlawful and the Data Subject objects to the erasure of the data and instead requests a restriction on its use, or when the Data Controller no longer needs the personal data for the purposes of the Processing but it is still necessary for the Data Subject to establish, exercise, or defend legal claims;
- objection to the Processing of their personal data for reasons relating to their particular situation;
- Data Subjects may object at any time to the Processing of their personal data for direct marketing purposes, including profiling;
- data portability under the conditions of the Regulations in force, which stipulate in particular that Data Subjects have the right to receive the personal data concerning them that they have provided to the Data Controller, in a structured, commonly used, and machine-readable format, and have the right to have this data transmitted to another Data Controller;
- the right to define directives concerning the fate of their personal data after their death.
The exercise of the rights as identified herein is carried out by the Data Subject in relation to the Data Controller (as identified above) through a request made by the Data Subject or by a duly authorised person, addressed to the Data Protection Officer of IRIS GALERIE at the following email address: firstname.lastname@example.org.
(i) Complaint to the CNIL
Data Subjects may lodge a complaint with the supervisory authority, namely the Commission nationale de l'informatique et des libertés (CNIL): 3 Place de Fontenoy - TSA 80715 - 75334 Paris 07, if they consider that the Data Controller's responses to their questions about the processing of their personal data are not satisfactory.
(j) Mandatory Provision of Certain Personal Data
The exercise by a Data Subject of their right to object to the processing of some of their personal data (and in particular location and/or contact data) for reasons relating to their particular situation may prevent the contract from being concluded. Subsequent exercise of the same right may, where applicable, prevent access to additional contractual services.
(k) Automated Decision-Making
The personal data collected is not used to make any automated decisions within the meaning of the Regulations in force.
(l) Possible Further Processing of Personal Data
In principle, IRIS GALERIE does not carry out any further processing of personal data for a purpose other than that for which the personal data was collected. However, in the event that processing is carried out for one or more purposes, which are not incompatible, other than those initially determined, the Data Controller shall provide the Data Subjects in advance with the information required concerning this/these purpose(s) and, if necessary, shall obtain their consent in advance.