Personal data policy

This page sets out the Personal Data Policy.

1. Preamble – About us

Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of their personal data and the free movement of such data, also known as the General Data Protection Regulation (hereinafter the ‘GDPR’), establishes the legal framework applicable to the processing of personal data.

The GDPR strengthens the rights and responsibilities of data controllers, subcontractors, data subjects and data recipients. In particular, it requires data subjects to be informed of their rights in a concise, transparent, understandable and easily accessible manner.

In the course of its business, GOLD SERVICES GIE, whose head office is at 52, Avenue du Canada – 35200 Rennes, registered in the RCS of Rennes under number 380 855 486 (hereinafter the ‘Company’), and publisher of the website ‘groupeleduff.com’, processes the personal data described below.

For a proper understanding of this policy, it is stated that:

• ’contact(s)’ or ‘applicants’: natural or legal persons connected to the Company (applicants, prospects, liaisons, partners, etc.);
• ’data controller’: natural or legal person who determines the purpose and means of processing the personal data defined in this policy. Under the latter, the data controller is the Company;
• ’subcontractor’: natural or legal person who processes personal data on behalf of the data controller. In practice, these are service providers with whom the Company works and who have an interest in the personal data it processes;
• ’data subjects’: persons who can be directly or indirectly identified. Under this policy, they are classed as ‘applicants’ or ‘contacts’;
• ’recipients’: natural or legal persons who receive personal data. Data recipients may therefore be both internal recipients and external bodies.

2. Purpose

To meet its needs, the Company processes personal data relating to its applicants and contacts.

The purpose of this policy is to meet the Company’s requirement to provide information and to formalise the rights and responsibilities of applicants and contacts with regard to the processing of their personal data.

This policy applies only to processing for which the Company is responsible.

The processing of personal data may be managed directly by the Company or through a specifically designated subcontractor.

This policy is independent of any other document that may apply to the contractual relationship between the Company and its applicants and contacts (cookies, business or partnership contracts, etc.).

3. General principles and commitment

The personal data of applicants and contacts is only processed by the Company if it is collected by or for us, or for subsidiaries and franchisees of Le Duff Group brands (Brioche Dorée, Del Arte, La Madeleine, Le Fournil de Pierre, Kamps, Bridor, FB Solution, Terre des Loges and Gourming) or processed in relation to these entities.

Applicants and contacts will be informed of any new processing operations, or changes to or deletion of an existing processing operation.

4. Processing operations and types of data collected through processing

The Company carries out the following two processing operations.

1) RECRUITMENT OF APPLICANTS TO THE FRANCHISE FOR ONE OF THE BRANDS OF THE LE DUFF GROUP

NON-TECHNICAL DATA:

• Identification: surname/first name/title/job/date and place of birth/nationality
• Contact details: Phone/email address/postal address/fax
• Working life: education/previous jobs/names of companies that have employed the applicant/information on the applicant’s professional background and information included by the applicant as part of their CV and cover letter sent to the Company/income
• Personal life (family or assets) for the purposes of the franchise application review: family situation/identification, date of birth and profession of spouse/number of children/movable and immovable assets (securities)

TECHNICAL DATA (depending on use)

• Identification data (IP)
• Connection data (especially logs)
• Data relating to consent (click)

The Company does not process sensitive data within the meaning of article 9 of the GDPR.

2) DATA PROCESSED BY THE SENDER OF A MESSAGE VIA THE ‘CONTACT’ SECTION OF THE WEBSITE ‘GROUPELEDUFF.COM’

NON-TECHNICAL DATA:

• Identification: surname/first name
• Contact details: Phone/email address

TECHNICAL DATA (depending on use)

• Identification data (IP)
• Connection data (especially logs)
• Data relating to consent (click) especially for online subscriptions

The Company does not process sensitive data within the meaning of article 9 of the GDPR as part of this processing operation.

5. Data sources

The Company collects the data of its applicants and contacts from data provided by the applicant or contact via the online forms they fill in.

6. Purposes of the processing

Depending on the situation, the Company processes your data for the following purposes:

• managing the relationship with the applicant or contact (in particular, assessing applications);
• managing events organised by the Company (conferences, breakfasts, etc.) and inviting applicants and contacts;
• sending our newsletters or information feeds;
• answering questions we are asked (by phone or online);
• improving our services;
• meeting our administrative responsibilities;

7. Legal basis

Processing operations are based on:

• the consent of data subjects with regard to processing relating to applications, and
• legitimate interest with regard to the ‘contact’ section.

8. Data recipients

The Company ensures that data can only be accessed by the following authorised internal or external recipients:

• on a case-by-case basis and in accordance with the purpose of the processing: representatives and employees of the Company, entities of the Le Duff Group, and companies operating establishments under the Le Duff Group brand name (franchisees);
• if necessary, employees of technical service providers of the Company involved in the operation of the website ‘groupeleduff.com’) (for example, translation providers, information service providers, reprographics, etc.);
• oversight services;
• public bodies, solely for the purpose of meeting the Company’s legal obligations, court officials, legal officials, etc.;
• Communications Department of the Company;
• IT Department of the Company.

With the exception of the persons specified above, your personal data will not be communicated, transferred, leased or shared for the benefit of any third parties.

9. Transfer of personal data

If an applicant wishes to fill in an application form for a franchised establishment located in a country outside the European Union, the Company may be required – if necessary as part of the review of this application – to transfer the personal data collected to recipients (within the meaning of article 9) located in the relevant country.

When the country concerned does not have an adequacy decision (which means its data protection level is equivalent to that in place in the European Union), the Company ensures as far as possible that the transfer is backed up by one of the following appropriate safeguard measures:

• contractual clauses similar to those approved by the CNIL [French National Commission for Information Technology and Civil Liberties];
• our adherence to an approved code of conduct;
• compliance with a certification scheme certified by an approved body;
• binding corporate rules approved by the CNIL.

IF THESE MEASURES CANNOT BE IMPLEMENTED, THE APPLICANT IS INFORMED THAT THE TRANSFER OF THEIR PERSONAL DATA POSES A HIGH POTENTIAL RISK OF BREACH (LOSS OF AVAILABILITY, INTEGRITY OR CONFIDENTIALITY OF PERSONAL DATA, EITHER ACCIDENTALLY OR UNLAWFULLY): YOU ARE THEREFORE SPECIFICALLY CONSENTING TO THIS TRANSFER.

10. Storage period

The data storage period is determined by the Company in view of its legal and contractual constraints.

For the processing of data relating to franchise applications, data collected via the form is transferred to the recipient(s) by email. It is then deleted from the website no later than one month after collection and, in general, stored on other media for a maximum of three (3) years after collection.

For the processing of data collected via the contact form, data will be stored for a maximum of three (3) years after your last login to the website ‘groupeleduff.com’.

However, data that can be used to prove a right or an agreement must be stored as a legal requirement, for the period prescribed by the law in force.

At the end of the period defined for each category of personal data processed, and subject to provisions permitting storage that is strictly necessary for the exercise of a right and proof of this right for the prescribed period applicable or pursuant to the legal requirements to which the Company is subject, the Company:

• • destroys personal data, or
  • stores this data in an irreversibly anonymised form, so that it no longer constitutes personal data within the meaning of the applicable regulations .

</ul
Applicants and contacts are reminded that the deletion or anonymisation of data is irreversible and that the Company is not able subsequently to restore it.

11. Right of access

Applicants and contacts usually have the right to ask the Company to confirm whether or not their personal data has been processed.

Applicants and contacts also have the right of access, subject to compliance with the following rules:

• • • the request comes from the person themselves and is accompanied by a copy of a current identity document;
    • the request must be sent in writing to the following address: DPO GLD 52 avenue du Canada 35200 RENNES or the email address: vosdonneespersonnelles@groupeleduff.com

Applicants and contacts have the right to request a copy of their personal data that has been processed by the Company. However, if an extra copy is requested, applicants and contacts may be required to reimburse the Company for this cost.

If applicants and contacts submit their request for a copy of their data electronically, the information requested will be provided to them in a commonly used electronic format, unless requested otherwise.

Applicants and contacts are informed that this right of access does not apply to information or data that is confidential or for which the law does not authorise disclosure.

12. Update – Updating and correcting

You can exercise this right through your usual point of contact, by default the Communications Department of the Company.

The Company may ask applicants and contacts to comply with requests to allow regular updating of the personal data it collects.

The Company may not be blamed for a lack of updates if the applicant or contact does not update their data.

13. Right to deletion

Applicants and contacts will not have the right to request deletion of their personal data if processing is carried out to meet a legal requirement.

This circumstance excepted, applicants and contacts may only request deletion of their personal data in the following cases:

• • • when the personal data is no longer necessary with regard to the purposes for which it was collected or otherwise processed;
    • when the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
    • when the data subject opposes processing that is necessary for the purposes of legitimate interests pursued by the Company and there is no compelling legitimate reason for the processing;
    • when the data subject opposes processing of their personal data for marketing purposes, including profiling;
    • when the personal data has been processed unlawfully.

14. Right to restriction

Applicants and contacts are informed that this right is not intended to apply, since the processing carried out by the Company is lawful and all personal data collected is necessary for the performance of the business contract.

15. Right to portability

The Company grants the right to data portability in the specific case of data provided by applicants or contacts themselves, on online services offered by the Company and for purposes based solely on the consent of the data subject. In this case, data will be disclosed in a structured, commonly used and machine-readable format.

16. Automated individual decision

The Company does not make automated individual decisions.

17. Post-mortem rights

Applicants and contacts are informed that they have the right to prepare instructions regarding the storage, deletion and disclosure of their data after death. Communication of specific post-mortem instructions and the exercise of these rights can be carried out:

• • by email to the address:

vosdonneespersonnelles@groupeleduff.com

or by post to the following address: DPO GLD 52 avenue du Canada 35200 RENNES, accompanied by a signed copy of an identity document.

18. Grounds – Manifestly excessive exercise of rights

For all the rights mentioned above from which the applicant or contact benefits and pursuant to personal data protection law, you are hereby informed that these are individual rights that can only be exercised by the data subject with regard to their own information. To meet this requirement, we will verify the identity of the data subject.

Note that if a data subject’s requests are manifestly unfounded or excessive, in particular because of their repetitive nature, the Company may:

• • • demand payment of reasonable costs, taking into account the administrative costs involved in providing and communicating the information or taking the requested measures; or
    • refuse to proceed with these requests.

19. Optional or mandatory nature of responses

Applicants and contacts are informed on every personal data collection form whether a response is mandatory or optional through the use of an asterisk.

If responses are mandatory, the Company explains to applicants and contacts the consequences of not providing a response.

20. Right of use

The Company is given the right by applicants and contacts to use and process their personal data for the purposes defined above.

21. Subcontracting

The Company informs its applicants and contacts that it may involve any subcontractor of its choice in the processing of their personal data.

In this case, the Company ensures compliance by the subcontractor with its obligations under the GDPR.

The Company commits to signing a written contract with all of its subcontractors and imposes on them the same data protection requirements as itself. Furthermore, the Company reserves the right to audit its subcontractors to ensure compliance with the GDPR.

22. Security

It is the Company’s responsibility to define and implement the technical security measures, whether physical or logical, it deems appropriate to prevent the destruction, loss, alteration or unauthorised disclosure of data, whether accidentally or unlawfully.

These measures notably include:

• • • the use of security measures for accessing the premises (closing offices, badges, etc.);
    • secure access to our computers and smartphones (access code changed regularly);
    • login and password for all our business applications;
    • management of authorisations for access to data (special features for our financial, accounts and communications departments);
    • VPN for remote connections;
    • complex and regularly changed password for our Wi-Fi network.

To achieve this, the Company may be assisted by any third party of its choice, as often as it deems necessary, to carry out vulnerability audits or intrusion tests.

In any case, in the event of changes to the means of ensuring the security and confidentiality of personal data, the Company commits to replacing them with higher-performing measures. No changes may lead to a lower level of security.

In the event that all or part of the processing of personal data is subcontracted, the Company commits to contractually imposing on its subcontractors security guarantees through technical measures to protect this data and adequate human resources.

23. Data breaches

In the case of a personal data breach, the Company commits to informing the CNIL under the conditions set out by the GDPR.

If this breach poses a high risk to applicants and contacts and data has not been protected, the Company:

• • • will inform the applicants and contacts affected;
    • will provide the applicants and contacts affected with the necessary information and recommendations.

24. Point of Contact for Personal Data

The Company has appointed a Point of Contact for Personal Data: vosdonneespersonnelles@groupeleduff.com – Point of Contact for Personal Data – LE DUFF Group – 52 avenue du Canada 35200 RENNES.

25. Register of processing operations

The Company has a register of processing operations.

26. Right to lodge a complaint with the CNIL

Applicants and contacts affected by the processing of their personal data are informed of their right to lodge a complaint with the supervisory authority, namely the CNIL in France, if they believe the processing of their personal data does not comply with European data protection regulations. Complaints should be sent to the following address:

CNIL – Complaints department: 3, place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07

Tel: +33(0)1 53 73 22 22

27. Changes

This policy may be changed or adjusted at any time in the event of changes to legislation, case law, CNIL decisions and recommendations or usage.

Any new versions of this policy will be brought to the attention of applicants and contacts by any means chosen by the Company, including electronically (by email or online, for example).

28. For more information

For more information, please contact our point of contact at the following email address: vosdonneespersonnelles@groupeleduff.com – Point of Contact for Personal Data – LE DUFF Group – 52 avenue du Canada 35200 RENNES

For more general personal data protection information, please refer to the CNIL website www.cnil.