Personal data policy

This page sets out the Personal Data Policy.

1. Preamble – About us

Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of their personal data and the free movement of such data, also known as the General Data Protection Regulation (hereinafter the ‘GDPR’), establishes the legal framework applicable to the processing of personal data.

The GDPR strengthens the rights and responsibilities of data controllers, subcontractors, data subjects and data recipients. In particular, it requires data subjects to be informed of their rights in a concise, transparent, understandable and easily accessible manner.

In the course of its business, GOLD SERVICES GIE, whose head office is at 52, Avenue du Canada – 35200 Rennes, registered in the RCS of Rennes under number 380 855 486 (hereinafter the ‘Company’), and publisher of the website ‘’, processes the personal data described below.

For a proper understanding of this policy, it is stated that:

2. Purpose

To meet its needs, the Company processes personal data relating to its applicants and contacts.

The purpose of this policy is to meet the Company’s requirement to provide information and to formalise the rights and responsibilities of applicants and contacts with regard to the processing of their personal data.

This policy applies only to processing for which the Company is responsible.

The processing of personal data may be managed directly by the Company or through a specifically designated subcontractor.

This policy is independent of any other document that may apply to the contractual relationship between the Company and its applicants and contacts (cookies, business or partnership contracts, etc.).

3. General principles and commitment

The personal data of applicants and contacts is only processed by the Company if it is collected by or for us, or for subsidiaries and franchisees of Le Duff Group brands (Brioche Dorée, Del Arte, La Madeleine, Le Fournil de Pierre, Kamps, Bridor, FB Solution, Terre des Loges and Gourming) or processed in relation to these entities.

Applicants and contacts will be informed of any new processing operations, or changes to or deletion of an existing processing operation.

4. Processing operations and types of data collected through processing

The Company carries out the following two processing operations.



TECHNICAL DATA (depending on use)

The Company does not process sensitive data within the meaning of article 9 of the GDPR.



TECHNICAL DATA (depending on use)

The Company does not process sensitive data within the meaning of article 9 of the GDPR as part of this processing operation.

5. Data sources

The Company collects the data of its applicants and contacts from data provided by the applicant or contact via the online forms they fill in.

6. Purposes of the processing

Depending on the situation, the Company processes your data for the following purposes:

7. Legal basis

Processing operations are based on:

8. Data recipients

The Company ensures that data can only be accessed by the following authorised internal or external recipients:

With the exception of the persons specified above, your personal data will not be communicated, transferred, leased or shared for the benefit of any third parties.

9. Transfer of personal data

If an applicant wishes to fill in an application form for a franchised establishment located in a country outside the European Union, the Company may be required – if necessary as part of the review of this application – to transfer the personal data collected to recipients (within the meaning of article 9) located in the relevant country.


When the country concerned does not have an adequacy decision (which means its data protection level is equivalent to that in place in the European Union), the Company ensures as far as possible that the transfer is backed up by one of the following appropriate safeguard measures:


10. Storage period

The data storage period is determined by the Company in view of its legal and contractual constraints.

For the processing of data relating to franchise applications, data collected via the form is transferred to the recipient(s) by email. It is then deleted from the website no later than one month after collection and, in general, stored on other media for a maximum of three (3) years after collection.

For the processing of data collected via the contact form, data will be stored for a maximum of three (3) years after your last login to the website ‘’.

However, data that can be used to prove a right or an agreement must be stored as a legal requirement, for the period prescribed by the law in force.

At the end of the period defined for each category of personal data processed, and subject to provisions permitting storage that is strictly necessary for the exercise of a right and proof of this right for the prescribed period applicable or pursuant to the legal requirements to which the Company is subject, the Company:

Applicants and contacts are reminded that the deletion or anonymisation of data is irreversible and that the Company is not able subsequently to restore it.

11. Right of access

Applicants and contacts usually have the right to ask the Company to confirm whether or not their personal data has been processed.

Applicants and contacts also have the right of access, subject to compliance with the following rules:

Applicants and contacts have the right to request a copy of their personal data that has been processed by the Company. However, if an extra copy is requested, applicants and contacts may be required to reimburse the Company for this cost.

If applicants and contacts submit their request for a copy of their data electronically, the information requested will be provided to them in a commonly used electronic format, unless requested otherwise.

Applicants and contacts are informed that this right of access does not apply to information or data that is confidential or for which the law does not authorise disclosure.

12. Update – Updating and correcting

You can exercise this right through your usual point of contact, by default the Communications Department of the Company.

The Company may ask applicants and contacts to comply with requests to allow regular updating of the personal data it collects.

The Company may not be blamed for a lack of updates if the applicant or contact does not update their data.

13. Right to deletion

Applicants and contacts will not have the right to request deletion of their personal data if processing is carried out to meet a legal requirement.

This circumstance excepted, applicants and contacts may only request deletion of their personal data in the following cases:

14. Right to restriction

Applicants and contacts are informed that this right is not intended to apply, since the processing carried out by the Company is lawful and all personal data collected is necessary for the performance of the business contract.

15. Right to portability

The Company grants the right to data portability in the specific case of data provided by applicants or contacts themselves, on online services offered by the Company and for purposes based solely on the consent of the data subject. In this case, data will be disclosed in a structured, commonly used and machine-readable format.

16. Automated individual decision

The Company does not make automated individual decisions.

17. Post-mortem rights

Applicants and contacts are informed that they have the right to prepare instructions regarding the storage, deletion and disclosure of their data after death. Communication of specific post-mortem instructions and the exercise of these rights can be carried out:

or by post to the following address: DPO GLD 52 avenue du Canada 35200 RENNES, accompanied by a signed copy of an identity document.

18. Grounds – Manifestly excessive exercise of rights

For all the rights mentioned above from which the applicant or contact benefits and pursuant to personal data protection law, you are hereby informed that these are individual rights that can only be exercised by the data subject with regard to their own information. To meet this requirement, we will verify the identity of the data subject.

Note that if a data subject’s requests are manifestly unfounded or excessive, in particular because of their repetitive nature, the Company may:

19. Optional or mandatory nature of responses

Applicants and contacts are informed on every personal data collection form whether a response is mandatory or optional through the use of an asterisk.

If responses are mandatory, the Company explains to applicants and contacts the consequences of not providing a response.

20. Right of use

The Company is given the right by applicants and contacts to use and process their personal data for the purposes defined above.

21. Subcontracting

The Company informs its applicants and contacts that it may involve any subcontractor of its choice in the processing of their personal data.

In this case, the Company ensures compliance by the subcontractor with its obligations under the GDPR.

The Company commits to signing a written contract with all of its subcontractors and imposes on them the same data protection requirements as itself. Furthermore, the Company reserves the right to audit its subcontractors to ensure compliance with the GDPR.

22. Security

It is the Company’s responsibility to define and implement the technical security measures, whether physical or logical, it deems appropriate to prevent the destruction, loss, alteration or unauthorised disclosure of data, whether accidentally or unlawfully.

These measures notably include:

To achieve this, the Company may be assisted by any third party of its choice, as often as it deems necessary, to carry out vulnerability audits or intrusion tests.

In any case, in the event of changes to the means of ensuring the security and confidentiality of personal data, the Company commits to replacing them with higher-performing measures. No changes may lead to a lower level of security.

In the event that all or part of the processing of personal data is subcontracted, the Company commits to contractually imposing on its subcontractors security guarantees through technical measures to protect this data and adequate human resources.

23. Data breaches

In the case of a personal data breach, the Company commits to informing the CNIL under the conditions set out by the GDPR.

If this breach poses a high risk to applicants and contacts and data has not been protected, the Company:

24. Point of Contact for Personal Data

The Company has appointed a Point of Contact for Personal Data: – Point of Contact for Personal Data – LE DUFF Group – 52 avenue du Canada 35200 RENNES.

25. Register of processing operations

The Company has a register of processing operations.

26. Right to lodge a complaint with the CNIL

Applicants and contacts affected by the processing of their personal data are informed of their right to lodge a complaint with the supervisory authority, namely the CNIL in France, if they believe the processing of their personal data does not comply with European data protection regulations. Complaints should be sent to the following address:

CNIL – Complaints department: 3, place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07

Tel: +33(0)1 53 73 22 22


27. Changes

This policy may be changed or adjusted at any time in the event of changes to legislation, case law, CNIL decisions and recommendations or usage.

Any new versions of this policy will be brought to the attention of applicants and contacts by any means chosen by the Company, including electronically (by email or online, for example).

28. For more information

For more information, please contact our point of contact at the following email address: – Point of Contact for Personal Data – LE DUFF Group – 52 avenue du Canada 35200 RENNES

For more general personal data protection information, please refer to the CNIL website www.cnil.