Who we are
Our website address is: www.perpignantourisme.com
The data controller is the Office de Tourisme de Perpignan represented by Frédéric Guillaumon, its President.
The contact details are as follows:
- Postal address: Place de la loge 66000 Perpignan
- Telephone: 04 68 66 30 30
E-mail: contact-office@perpignan.fr
How does the Perpignan Tourist Office protect Personal Data?
L'Office de Tourisme de Perpignan undertakes to take into account the protection of your Personal Data right from the design stage of the processing operations that are implemented and for the services that are offered to you(Privacy by design).
To ensure security and guarantee the respect and exercise of your rights, measures to protect your Personal Data are also implemented for all processing.(Privacy by default).
What Personal Data is processed by Perpignan Tourist Office?
The Tourist Office collects the data required to provide the services it offers.
In the event that optional data is requested, the operational managers (of the department requesting the data) will clearly inform you which Personal Data is necessary to provide the service and which is optional.
Personal Data is collected directly from you and indirectly, for the use of the services offered by the Tourist Office and is only used for the purposes that are or will be brought to your attention.
Data such as name/first name/telephone/email/city may be passed on to our partner tour guides as part of the sale of guided tours, and will be systematically destroyed by our guide partner after the tour has been completed.
Your data such as name/first name/telephone/email/address/postal code/city may be passed on to our partners solely in connection with the booking of tourist services (shows, leisure activities, excursions, events) produced by these same service providers, who undertake to comply with the applicable legislation on RGPD.
What are the foundations of the legitimacy of our treatments?
The Office de Tourisme de Perpignan relies on the following legitimate bases in order to be able to process Personal Data:
- Contract performance
This is the legal basis for processing customer Personal Data collected for the purpose of, or in connection with, fulfilling a contract (online purchase of a tourist service). In this respect, the user is obliged to provide the data necessary for its execution. If the user does not provide this data, possibly to the online payment service provider, it will not be possible to carry out the arrangements relating to the tourist, leisure or cultural service sold by the Tourist Office.
- Consent
The processing of Personal Data is based on the explicit consent of the user, visitor, patron or customer.
These may include, for example:
- Booking a leisure activity, or a tourist or cultural service
- Demand for tourist information
- Subscription to a newsletter, for example
Withdrawal of consent for processing may be made at any time, subject to regulatory provisions, by contacting the DPO (see below).
- Legitimate interest
The processing of your Personal Data may be based on legitimate interest in the event that certain processing does not fall within the scope of its reception and information missions, such as :
Processing linked to the communication of information on events/entertainments/concerts/tours similar to those ordered by customers; the legitimate interest pursued is the promotion of its "entertainments" to its customers.
To whom may your Personal Data be communicated?
Your data may, in the context of the services provided, be transmitted to :
- Internal departments of the Tourist Office responsible for the execution of the subscribed services;
- External service providers, in particular subcontractors (guide-lecturers, for example), who undertake to comply with applicable legislation;
- To external private or public service providers who design and carry out the service previously reserved/purchased/ordered from the Tourist Office or on the Tourist Office website, and who then undertake to comply with the applicable legislation;
- To authorized third parties in compliance with applicable regulations.
Can your Personal Data be transferred outside the European Union?
L'Office de Tourisme de Perpignan processes all your Personal Data within the European Union (EU).
How long does the Office de Tourisme de Perpignan keep your Personal Data?
L'Office de Tourisme de Perpignan undertakes not to keep your Personal Data beyond the archiving period:
- Personal data archived for three years.
- Transaction data retained for the period imposed by applicable statutes of limitation.
Where applicable, information on the duration will be provided as part of the information obligations linked to the specific implementation of each processing operation.
Are your personal data protected?
The Office de Tourisme de Perpignan undertakes to take the necessary measures to ensure the security and confidentiality of Personal Data and in particular to prevent it from being damaged, deleted or accessed by unauthorized third parties.
Furthermore, in the event of a security breach affecting your Personal Data (destruction, loss, alteration or disclosure), the Tourist Office undertakes to comply with the obligation to notify the CNIL of any Personal Data breaches within 72 hours.
Does the Office de tourisme de Perpignan use a tool to analyze the navigation and use of the website perpignantourisme.com?
The site is managed by the Tourist Office and the Faire-Savoir company: it uses Matomo (https://fr.matomo.org) as a tool for analyzing the navigation and use of the www.perpignantourisme.com website by its users. The service is open source (a decentralized, participatory development model whose code can be consulted by all) and is hosted on a server belonging to the City of Perpignan in France.
The data collected by cookies is anonymous. The purpose of this data collection is to facilitate subsequent navigation on this website and to supply our traffic measurement tools with a view to constantly improving the website.
What are your rights regarding your Personal Data?
At any time, you have the right to exercise the rights provided for by the regulations in force applicable to Personal Data with the Office de Tourisme de Perpignan:
- Right of access: you may have access to your Personal Data processed by the Office de Tourisme de Perpignan ;
- Right of rectification: you may update your Personal Data or have them rectified by Perpignan Tourist Office.
- Right to object: you may express your wish not to receive any further protocol communications from Perpignan Tourist Office or to request that your Personal Data no longer be processed;
- Right to deletion: you may request the deletion of your Personal Data;
- Right to limitation: you may request the suspension of the processing of your Personal Data;
When you subscribe to a public service or collect your Personal Data, you will be given the address (postal and/or e-mail) to which you can send your request to exercise your rights.
All requests must be accompanied by proof of identity.
The Office de Tourisme de Perpignan undertakes to respond to your requests to exercise your rights as quickly as possible, in any event within the legal time limits and insofar as the exercise of this right does not hinder the performance of the contract or compliance with legal and regulatory obligations.
Who is the Data Protection Officer at Perpignan Tourist Office?
The appointment of a Data Protection Officer demonstrates the commitment of the Perpignan Tourist Office to the protection, security and confidentiality of the Personal Data of its citizens.
You can contact the Data Protection Officer at the following e-mail address: contact-office@perpignan.fr:
Or to the following postal address: Monsieur le Délégué à la Protection des Données, Office de Tourisme de Perpignan, Place de la loge 66000 Perpignan.
Reminder of the basic definitions under the RGPD
The processing of personal data can be any operation or set of operations involving this type of data. It may involve collecting, recording, storing, adapting, etc. Simple consultation or even deletion is data processing.
The data controller is the person, public authority, department or organization that determines the purposes and means of data processing. So, by default, it's the head of the company, the head of the local authority or the president of the association. The drafting of delegations of authority will be one of the key issues.
The data subject is the person to whom the data belongs, an identifiable natural person.
To be able to justify the compliance of processing operations, the new Regulation introduces a radically different logic: accountability.
accountability = from now on, the data controller will have to create the elements needed to verify that he is complying with his obligations.
We're moving away from a logic where control is carried out in the form of a survey, and moving towards a logic of self-control.
At all times, you need to be able to present documentation, produced in-house, by yourself and with maximum formality.
Accountability therefore means documenting and keeping up to date information that can be used at any time to justify compliance with the obligations set out in the Regulation.
Privacy by Design
This can be translated into privacy protection right from the design stage.
In the context of the RGPD, it's about the protection of privacy, in the French sense of the term; as protected by the European Convention on Human Rights*.
Privacy, which includes personal data, must therefore be protected right from the design stage.
Privacy by default
In French, it's best to avoid a literal translation and instead understand "default security" for personal data processing.
For each collection, the aim is to systematically ensure the highest possible level of security in the protection of personal data processing.
Minimization
This means that only personal data that is adequate, relevant and limited to what is necessary should be used for processing.
They should only be processed if they are relevant to the purpose for which they are processed: if you want to wish a list of people a happy birthday, you don't need to know their weight!
Only information that is strictly necessary should be collected, handled with care, the number of people or organizations with access to it should be limited, and it should only be processed or stored for the time strictly necessary for the purpose of the processing operation.
Anonymization
This involves removing any identifying character from the data.
All identifiers are deleted or modified, making it impossible to re-identify people.
Pseudonymization
This involves replacing an identifier with a pseudonym. This technique allows re-identification.
Rights of the person concerned
Attached is a link to the CNIL to help you understand your rights.
https://www.cnil.fr/fr/reglement-europeen-protection-donnees/chapitre3