Personal data policy

Last updated 04/2024


This page is subject to change, so please consult it regularly.


Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of their personal data and the free movement of such data (hereinafter the ‘GDPR’), establishes, along with other applicable texts, the legal framework applicable to the processing of personal data.

These texts strengthen the rights and responsibilities of data controllers, subcontractors, data subjects and data recipients. In particular, they require data subjects to be informed of their rights in a concise, transparent, understandable and easily accessible manner.

We, the GIE GLD Services, with head office at 52, Avenue du Canada – 35200 Rennes, France, registered in the Rennes Trade and Companies Register (RCS) under number 380 855 486 (the ‘Company’), are the publisher of the Website ‘’ (the ‘Website’).



The Company attaches great importance to the protection of your personal data and privacy.

This Policy aims to:

This Policy applies only to processing for which the Company is responsible. The processing of personal data may be managed directly by the Company or through a specifically designated subcontractor. This Policy is independent of any other document that may apply to the contractual relationship between you and the Company (cookies, business or partnership contracts, etc.).



The Company has appointed a Data Protection Officer to ensure compliance with personal data regulations.

You can reach them by email at or by post at:

Groupe LE DUFF
Service Conformité – Délégué à la Protection des Données
[Compliance Department – Data Protection Officer]
52, Avenue du Canada
35200 RENNES



When the Company collects and uses your data, it does so for a specific purpose of which you have been informed. In accordance with regulations, the purposes for which your data is collected are listed in a record of processing activities. This information is also included in the disclosures brought to your attention, as well as in Article 10 of this Policy.



The Company undertakes to collect and use only the personal data it needs to carry out its tasks. The categories of personal data collected by the Company vary according to its intended use. A list of the data is provided in Article 10 of this Policy.

The Company does not process sensitive data as defined in Article 9 of the GDPR (i.e. any data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health-related data or data relating to a natural person’s sex life or sexual orientation).



The Company will only process personal data collected by or for services offered on the Website, GLD Services mobile applications, branches and franchisees of GLD Services brands who sell products on the Website or on GLD Services mobile applications, or data processed in connection with these services.

The Company may collect your personal data when:



The Company ensures that only authorised persons and organisations have access to your data, and only for the purposes related to their duties. These may include:

The Company ensures compliance by its subcontractors with its obligations under the applicable regulations. Furthermore, the Company reserves the right to audit its subcontractors to ensure compliance with applicable regulations.

A detailed breakdown of recipients by purpose is provided in Article 10 of this Policy.

With the exception of the persons specified above and in Article 10 of this Policy, your personal data will not be communicated, transferred, leased or shared for the benefit of any third parties.



If necessary for the purposes described in this Policy, your data may be transferred for technical reasons to a third country. When the country in question does not have an adequacy decision (which means its data protection level is equivalent to that in place in the European Union), the Company ensures that the transfer is backed up by one of the following appropriate measures:

If a franchise applicant wishes to fill in an application form for a franchised establishment located in a country outside the European Union, the applicant is informed that the Company may be required – if necessary as part of the application review process – to transfer the personal data to recipients located in the relevant country.



The data retention period is determined by the Company in view of its legal and contractual constraints. It is stored only for as long as is strictly necessary for the purposes for which it was collected.

In general, data that can be used to prove a right or an agreement will be stored for the period prescribed by the law in force.

At the end of the period set for each category of processed personal data, and subject to provisions permitting storage that is strictly necessary for the exercise of a right and proof of this right for the prescribed period applicable or pursuant to the legal requirements to which the Company is subject, the Company:

You are reminded that the deletion or anonymisation of data is irreversible and that the Company is subsequently unable to restore it.



The Company uses your personal data for defined purposes (why your data is used) and on legal grounds (why the Company has the right to use your data), as provided for by the regulations. The table below sets out the main purposes for which personal data is processed by the Company. For further information about the processing of your personal data, please contact the Data Protection Officer. This list is subject to change.


Purpose of the processing Data collected Legal basis Retention period Internal and external recipients
Franchise application management Non-technical data

·         Identification: surname/first name/title/job/date and place of birth/nationality

·         Contact details: Phone/email address/postal address/fax

·         Working life: education/previous jobs/names of companies that have employed the applicant/information on the applicant’s professional background and information included by the applicant as part of their CV and cover letter sent to the Company/income

·         Personal life (family or assets) for the purposes of the franchise application review: family situation/identification, date of birth and profession of spouse/number of children/movable and immovable assets (securities)


Technical data

·         Identification data (IP)

·         Connection data (especially logs)

·         Data relating to consent (click)

Legitimate interest For the processing of data relating to franchise applications, data collected via the form is transferred to the recipient(s) by email. It is then deleted from the website no later than one (1) month after collection and generally stored on other media for a maximum of three (3) years after collection. ·         Representatives and employees of the Company, entities of the Le Duff Group, and companies operating establishments under the Le Duff Group brand name (franchisees);

·         If an applicant wishes to fill in an application form for a franchised establishment located in a country outside the European Union, the Company may be required – if necessary as part of the application review process – to transfer the personal data to recipients (within the meaning of Article 8) located in the relevant country.

Contact request management Non-technical data

·         Identification: surname/first name

·         Contact details: Phone/email address

Technical data

·         Identification data (IP)

·         Connection data (especially logs)

·         Data relating to consent (click) especially for online subscriptions

Legitimate interest The data will be kept for a maximum of three (3) years after your last connection to the ‘’ website. ·         If necessary, employees of the Company’s technical service providers involved in operating the website ‘’) (for example, translation providers, information service providers, reprographics);

·         Oversight services;

·         Public bodies, solely for the purpose of meeting the Company’s legal obligations, court officials, legal officials, etc.;

·         Communications Department of the Company;

·         IT Department of the Company.

Safety of people and property ·         Images of the video surveillance system for visitors to the head office Legitimate interest Images are stored for 30 days ·         Internal departments in charge of image processing and the competent authorities, where applicable.



You are informed that all the rights listed below are individual rights that can only be exercised by you or a person authorised to act on your behalf.

Right of access

You have the right to ask the Company to confirm whether or not your personal data has been processed. You also have a right of access and the right to request a copy of your personal data that has been processed by the Company.
Customers and contacts also have a right of access.

If you submit a request for a copy of your data electronically, the information requested will be provided to you in a commonly used electronic format, unless requested otherwise.
You are informed that this right of access cannot cover data for which the law does not authorise disclosure.

Right to restrict processing of your data

You may ask the Company to restrict the processing of your data in the cases provided for by the regulations.

Right to object to the processing of your data

You may object at any time, for reasons relating to your particular situation, to the processing of your data, the legal basis of which is the legitimate interest of the Company. If you exercise this right, the Company will ensure that it no longer processes your personal data, unless it can demonstrate compelling legitimate grounds for continuing to do so. These grounds must outweigh your interests and your rights and freedoms, or the processing must be justified for the establishment, exercise or defence of legal claims.

Once you have agreed to receive offers (newsletters and/or commercial offers) from the Company, you may unsubscribe at any time by clicking on the link provided or by any other means offered to you.

Right of rectification

You may ask the Company to rectify or complete your personal data if it is inaccurate, incomplete, ambiguous or out of date. The Company may not be blamed for a lack of updates if the client or contact does not update their data.

Right to withdraw your consent

Where the Company uses your personal data on the basis of your consent, you may withdraw this consent at any time. The Company will then stop using your personal data, without this calling into question any previous operations for which you had given your consent.

Right to erasure

You may ask the Company to delete your personal data where one of the following reasons applies:

Please note that this right is not a general right and can only be exercised if one of the grounds set out in the applicable regulations is present. If none of these grounds are present, the Company will not be able to respond favourably to your request. For example, if the Company must retain your data in order to comply with a legal or regulatory requirement or to establish, exercise or defend legal claims.

Right to data portability

You have the option of recovering part of your data in a machine-readable format for personal use or for transmission to a third party of your choice. This right does not apply to paper files and only applies on the basis of your prior consent or the performance of the contract. The exercise of this right must not infringe the rights and freedoms of third parties whose data is included in the transmitted data.

Right to define post-mortem directives

You have the possibility of defining specific directives relating to the retention, deletion and disclosure of your personal data after your death. These specific directives will only concern the processing carried out by the Company and will be limited to this scope.

Right to lodge a complaint with the CNIL

If you feel that your rights under the Data Protection Act have not been respected, you may submit a complaint to the Commission Nationale de l’Informatique et des Libertés (CNIL, French National Commission on Computer Technology and Freedom):

CNIL – Service des plaintes [Complaints Department]: 3, place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07 – FRANCE
Tel.: +33 (0)1 53 73 22 22



You can exercise these rights by email at or by post at:

Groupe LE DUFF
Service Conformité – Délégué à la Protection des Données
[Compliance Department – Data Protection Officer]
52, Avenue du Canada
35200 RENNES

The Company will acknowledge receipt of your request to exercise your rights and will respond to your request as soon as possible and no later than one (1) month from receipt of your request. This period may be extended by two (2) months if the request is complex, for a total of three (3) months after receipt of your initial request. In the latter case, the Company will inform you of the extension and explain the reasons for it.

In case of doubt regarding your identity, the Company may ask you to provide additional information necessary for your identification.

If you wish to provide proof of identity by sending an identity document, make sure you send only the front in black and white, with a watermark (

Exercising these rights is free of charge. However, if your requests are repetitive, excessive or abusive, you may be charged a fee.

In accordance with the regulations, the Company stores the data relating to the exercise of your rights for a maximum period of three (3) years and then renders it anonymous.

If you have sent proof of identity, this will be stored for one (1) year after receipt of the request if proof was required. If not, the proof will be deleted immediately.



You are informed on every personal data collection form whether a response is mandatory or voluntary through the use of an asterisk. If some answers are mandatory and you do not provide them, you will not be able to complete the online application or contact request.



The Company may also provide links to other websites. This is particularly true of the ‘Job advertisements’ and ‘Become a Le Duff Group Franchisee’ sections. Nevertheless, the Company shall not be liable for the content or data collection policies of these websites. If you visit the websites of third parties, please check their information collection and privacy protection policies before providing them with your personal data. The Company accepts no liability in this respect.



The Company is granted the right by the data subjects to use and process their personal data for the purposes defined above.



The Company attaches particular importance to the security of your personal data. Appropriate technical and organisational measures are implemented to ensure that your data is processed in such a way as to guarantee its protection against loss, destruction or accidental damage that could undermine its confidentiality or integrity.

When creating or selecting a new tool for using your personal data, the Company ensures that it offers an adequate level of protection. The Company signs contracts with its subcontractors and partners which clearly define the terms and conditions of use of your data. In the event of an incident involving your personal data, the Company has put in place a specific procedure. In the event of a high risk to your privacy, rights and freedoms, the Company will inform you of this incident, in accordance with its obligations in this respect.