Prepared on 23 May 2018
Provençal Investments S.A., a limited-liability company incorporated under the laws of the Grand Duchy of Luxembourg, having its registered office at 127, rue de Mühlenbach, L-2168 Luxembourg, registered with the Luxembourg Trade and Companies Register under number B 116.230 (the “Company”, “us“, “we” or “our“), acting through its permanent establishment in France registered number 491 440 095 R.C.S. Antibes, 9 rue Saint-Barthélémy, 06160 Antibes, is committed to protecting your personal data (hereinafter “you” or “your“), and intends to process your personal data in a transparent and lawful way. Personal data is any information relating to an identified or identifiable natural person. Your name, address, phone number and email address are examples of personal data. In all circumstances the Company aims to process personal data according to the following principles:
1. Transparency: Personal data is used fairly, lawfully, and transparently.
2. Limited Use: Personal data is collected for a specific and legitimate business purpose and used in a manner that is compatible with for that purpose. We security dispose of it when it is no longer needed.
3. Data Minimization: Only relevant data– not excessive amounts – is collected or used.
4. Accuracy: We aim to keep personal data accurate and up-to-date.
5. Security and Limited Access: Personal data is stored securely and is shared only with those individuals who need the data to accomplish a business objective.
This Privacy Notice is intended to provide you with some information regarding how your personal data will be collected, used, shared, and protected by the Company, which is described in greater detail in the sections below.
2. Who is the relevant “controller” of your personal data?
Our intention is to comply with applicable data protection laws, including the EU General Data Protection Regulation (“GDPR“) and applicable local laws. The Company is the data controller of your personal data processed by us, and can be contacted here: 9, rue Saint-Barthélémy 06160 Antibes, email@example.com.
3. What data is being collected or gathered?
The Company processes your personal data in order to send you our newsletter and for you to be able to receive commercial communications from the Company, Caudwell Collection and their affiliates, as described further in Section 4 below. We do not collect personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data, biometric data in order to uniquely identify a person or data concerning health or sex life and sexual orientation.
To achieve these purposes, the Company will only collect and process the following personal data:
- • First name, last name, nationality, address, email address and telephone number.
4. How is the data being processed?
Processing of your personal data by the Company will always be based on legitimate grounds. The Company will be processing your personal data described above for the following purposes and under the following legal bases:
Your personal data will be collected and processed by the Company to manage our relationships with clients. In order to be able to send you our offers and our newsletters, we need to collect your personal data. We will not use your personal data for decisions based solely on automated processing if the decision produces legal effects concerning you or significantly affects you, unless you gave your explicit consent for this processing.
Your personal data may also be processed in connection with any legal proceedings or prospective legal proceedings, in order for the Company to establish, exercise or defend its legal rights, or in order to fulfill legal obligations, including but not limited to after a request from a competent administrative or judicial authority or in any circumstance where such processing is requested pursuant to applicable laws.
The Company will process your personal data identified above for our legitimate business interests around administering our relationships with clients and to maintain up to date our client database. The company will also process your personal data to comply with our legal obligation and, in particular, to comply with your rights as data subjects and your opt-out requests.
5. Who has access to your personal data?
The Company limits who has access to the personal data in our possession to only those who need it for a legitimate business purpose. Personal data is shared on a “need to know” basis. Only those individuals who need the data to accomplish a business objective should have access to personal data, and only for as long as they need it to accomplish the objective. Individual recipients are not authorized to share personal data with other employees or third parties unless that sharing is authorized and complies with all applicable Company policies. Specifically, we anticipate that the following categories of recipients will have access to your personal data, for the purposes listed below:
• Caudwell Collection entities and, in particular, the Company and Caudwell Collection affiliates to administer and manage the clients relationships and intragroup organization.
• Salesforce our CRM provider.
• Our potential technical service providers.
The Company may engage third party vendors to assist in processing personal data from time to time. The Company will pass on to any such vendor its obligations under the applicable data privacy law, require that the vendor secure the data, and provide additional notice as required by law. We will not sell, distribute or lease your personal data to third parties unless we have your permission or are required by law to do so.
Some of the recipients noted above might be located outside the European Economic Area (“EEA“). As described in Section 6 below, appropriate safeguards have been implemented to cover such transfers to recipients who will comply with all applicable laws and regulations.
6. Where is the data being transferred? On what legal grounds?
For EEA data subjects, your personal data may be transferred outside the EEA for the purposes listed above pursuant to EU Standard Contractual Clauses, Privacy Shield, or another legally binding and permissible arrangement. Such transfers will be compliant with all applicable laws and regulations. Relevant additional details regarding the basis for transfers of your personal data can be provided upon request by contacting us at firstname.lastname@example.org.
7. Data Security.
We are committed to ensuring that your personal data is secure. In order to prevent unauthorized access or disclosure, we have put in place appropriate technical and organizational measures to safeguard and secure the personal data we process. We employ a suite of various IT security tools in order to safeguard personal data, restrict access to the data, and have physical and organizational security measures in place to prevent unauthorized or unlawful access to personal data and accidental loss, destruction, or damage to personal data. The Company also maintains an inventory of personal data and evaluate the protections that we have in place for that data to ensure that our security measures are tailored to the sensitivity of the data.
In addition, as described in Section 5 above, the Company has carefully limited access to your personal data only to those individuals who need access to it in order to fulfill their assigned roles, and only to the extent that they need such access. Only those individuals who need the data to accomplish a business objective should have access to personal data, and only for as long as they need it to accomplish the objective. Employees are not authorized to share personal data with other employees or third parties unless that sharing is authorized and complies with this Policy.
If, despite all our efforts, a data breach does occur, we shall do everything in our power to limit the damage. In case of a data breach which is likely to result in a high risk, and depending on the circumstances, we will inform you about remedial actions to prevent any further damage. We always inform the relevant supervisory authority or authorities without undue delay.
8. Data Retention information.
The Company strives to only store your personal for as long as necessary for the purpose for which we have processed it, and to dispose of it securely once that purpose has been fulfilled. Your personal contact data will only be retained 3 years from the last contact with you. In certain circumstances we may have to retain your personal data for a longer period to comply with a legal obligation or with a request from a public authority. In these events, we will delete or anonymized your personal data as soon as we complied with our legal obligation of with the public authority request. The retention periods are established considering legitimate business purposes, according to the local regulations.
9. Data subject rights.
Data subject rights vary based on your local law. However, you can always ask the Company for more information about the people who will be able to see and access the data that relates to you. If you are aware of inaccurate data, it is your responsibility to request that data to be updated and corrected.
If you are located within the EEA, you may also have the right to:
1. Request that your personal data be erased if you believe that one of the following applies: (i) the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (ii) the personal data has been unlawfully processed; (iii) the personal data has to be erased for compliance with a legal obligation under a law to which the controller is subject; (iv) you have objected to the processing and there is no other legal ground for the processing;
2. Under certain circumstances and in relation to certain personal data only, receive your personal data in a structured, commonly used, and machine-readable format, as well as the right to transmit the data to another controller without hindrance;
3. Restrict the processing where one of the following applies: (i) you have contested the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data; (ii) the processing is unlawful and you oppose the erasure of the personal data and requests the restriction of their use instead; (iii) the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise, or defense of legal claims; (iv) the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject;
4. to lodge a complaint with the supervisory authority, if you believe that your personal data have been processed unlawfully;
5. to withdraw your consent, where the processing of your personal data is based on your consent;
6. Define directives on the fate of your personal data after death.
The Company is committed to ensuring your data is protected from misuse. If you think your data and information have been used in violation of the laws, regulations, or the applicable data protection provisions, please alert the Company and it will assist you.
In particular, if you do not want to receive our newsletter or marketing communications from us, you can opt-out to these processing operations in contacting us at email@example.com
Any other requests, including those regarding the exercise of such rights, and questions can be directed to firstname.lastname@example.org.