Updated on 25/02/2021
Definition of Personal Data: any information relating to a natural person identified or identifiable directly or indirectly in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more elements specific to his physical, physiological, genetic, mental, economic, cultural or social identity.
1 Data collected by CARTÉGIE on its sites and/or processed in its capacity as data controller
The nominative information communicated by CARTÉGIE users through requests for information on the products or services offered by the company, through forms or questionnaires placed online, filled in by users is necessary/mandatory for the processing of these requests for information, these forms or questionnaires.
The purpose of collecting personal data on this site is to process your requests and to keep you informed of our news and products. CARTÉGIE may also be led to seek data of prospects from partners for prospecting.
The legal basis for processing is CARTÉGIE’s legitimate interest in carrying out such processing within the framework of its activity and which is considered to correspond to the reasonable expectations of the individual.
Your data are kept for the time necessary for our exchanges and communications and for the logging essential to our activity. This period has been set at 5 years after the last contact.
However, certain data may be kept longer in the context of compliance with certain legal rules. In this case, they are no longer accessible to the production departments.
The data are intended for CARTÉGIE and its production, marketing and sales departments or its data processor for the purposes of managing and processing user requests.
They will only be communicated to third parties to meet legal and regulatory obligations.
CARTÉGIE may use the contact details in order to send users its newsletters and/or offers adapted to their needs. The user may refuse this communication simply by ticking the box provided for this purpose in the contact form or upon receipt by clicking on the unsubscribe link present in each newsletter.
In accordance with the legislation in force and more specifically Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter the “GDPR”), which came into force on 25 May 2018, data subjects have the right to access, rectify, delete, instruct on their data and object on legitimate grounds.
You can exercise these rights by sending your request to our DPO by post with a copy of your identity document to the following address CARTÉGIE – DPO – 3 rue Christian Franceries, Parc Chavailles 2, CS 80011, 33522 BRUGES or by email at the following address: dpo[@]cartegie.com
If you feel, after contacting us, that your rights on your data are not respected, you can send a complaint (claim) to the CNIL.
During your connection on our site you could take note of our policy regarding cookies. You can change your initial choices at any time by clicking on this link.
2 BtoC personal data processed by CARTÉGIE in the context of its activity as a data processor
In the context of its BtoC activity, CARTÉGIE undertakes to comply with the provisions of Law No. 78-17 of 6 January 1978 as amended, relating to information technology, files and freedoms, and Regulation 679/2016 of 27 April 2016 relating to the protection of personal data.
CARTÉGIE undertakes to take the necessary measures to ensure the security and confidentiality of the personal data entrusted to it. CARTÉGIE only processes personal data on the instructions and on behalf of its partners and clients.
The origin of the data processed
CARTÉGIE does not collect data from natural persons. It is its Partners, owners of files, who collect data from individuals and who then transmit their database to CARTÉGIE as a data processor for the constitution of a database intended for marketing. Within the framework of its partnerships, CARTÉGIE only contracts with companies that undertake to comply with the legislation in force regarding the processing of personal data. The personal data that CARTÉGIE processes come from file owners in the following fields of activity:
• Major merchants
• Competitions / Co-registration / Vertical sites
Using the processed data
CARTÉGIE markets to its customers the data from its Partners’ databases.
CARTÉGIE helps its clients to build and optimise their marketing campaigns, loyalty, customer relations, communication, studies and surveys by means of statistical processing and analysis in order to:
– Select prospects for a marketing and/or communication campaign
– Enable our client to better know and thus build loyalty with its own clients.
– Enable the realization of relevant surveys and studies.
Different channels can be used to contact people: by post, by phone, by email, by sms.
Operations allowing the personalization of the communication can be carried out in order to contact you only in the context of your interests.
To carry out these treatments, CARTÉGIE acts exclusively at the request of its customers and on their behalf.
CARTÉGIE never enters into contact with people on its own behalf.
Once the selection operation has been carried out by CARTÉGIE, the data is either processed by CARTÉGIE on behalf of its clients, or transferred to service providers designated by the client, or transmitted to the client.
3 BtoB personal data processed by CARTÉGIE in the context of its activity as data controller
The data controller is: CARTÉGIE, 3 rue Christian Franceries, Parc Chavailles 2, CS 80011, 33522 BRUGES
Legal basis of the processing: the processing is based on one of the legal bases provided for in Article 6 of the RGPD, namely the legitimate interest of the data controller.
The origin of the data processed:
The data processed by CARTÉGIE in the context of its BtoB activity come from the following sources:
CARTÉGIE is a distributor of the INSEE database as well as open data databases.
CARTÉGIE also has contracts with partners who make their BtoB files available to it for marketing purposes.
CARTÉGIE collects non-confidential public data on the Internet solely for professional purposes in order to enrich its existing databases.
Indeed, the legitimate interest is one of the criteria to legitimise the processing of personal data. Recital 47 of the DPMR states that “The legitimate interests of a controller, including those of a controller to whom personal data may be disclosed, may constitute a legal basis for the processing unless the interests or fundamental rights and freedoms of the data subject prevail, having regard to the reasonable expectations of the data subjects based on their relationship with the controller. The processing of personal data for the purposes of canvassing may be regarded as being carried out in response to a legitimate interest”.
Purposes of processing:
To transmit information to its customers for the purposes of commercial solicitation, study and customer knowledge.
Elaborate directories of professionals and decision-makers in order to propose offers and/or products related to their function and/or activity.
Processed data: mainly Family Name; First Name, and Contact Details including telephone and email address. Position
The Data is provided to our professional customers within the framework of their professional activity for their marketing and/or loyalty campaigns, market research and customer knowledge. In relations between professionals, consent is not required in the case of commercial canvassing, as long as these solicitations are related to the professional activity and/or function of the person solicited.
4 The exercise of rights
In accordance with the legislation in force and more specifically Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter the “GDPR”), applicable as of 25 May 2018, you have the right to access, rectify, delete, instruct (portability or instructions after your death) your data and to object on legitimate grounds. You may withdraw your consent at any time and request the deletion of your data. In case of problems you can appeal to the competent authority: CNIL – 3 place de Fontenoy – TSA 80715 – 75334 Paris cedex 07.
In order to process your data as well as possible and to answer your questions CARTÉGIE has appointed a Data Protection Officer (DPO) whose contact details are given below. You may exercise your rights by sending your request by post with a copy of your identity document to the following address CARTÉGIE – DPO – 3 rue Christian Franceries, Parc Chavailles 2, CS 80011, 33522 BRUGES or by email at the following address: dpo[@]cartegie.com
In the context of these requests CARTÉGIE will delete the data in the databases processed by its teams and will systematically forward this request to the Partner who provided it with this data for marketing purposes.
The rights can also be exercised directly with the Partner having collected the personal data or with the client contacting the person. A reply must be given within 1 month.
In any communication that reaches you after processing your personal data you are informed of your rights with the possibility either to unsubscribe in case of email and sms, or to contact the person in charge of the campaign in order to oppose the use of your data.
5 Data retention period
In accordance with Article 5e of Regulation 2016/679 of 27 April 2016, personal data shall only be kept in a form which permits identification for no longer than is necessary for the purposes for which the data were collected and processed.
In this respect, data are kept by CARTÉGIE within the framework of the BtoC for the duration indicated by its Partners.
In the absence of instructions received from the latter, for BtoC Data CARTÉGIE has established strict rules that respect the rights and freedoms of individuals and consequently, any individual whose last transaction with a Partner is more than 5 years old will not be kept by CARTÉGIE.
In the case of processing involving the provision of data to CARTÉGIE of its Clients’ data, the data will be destroyed according to the instructions of the Client.
6 Data protection
To this end, CARTÉGIE has defined a strict policy of security and confidentiality of personal data.
CARTÉGIE staff with access to data is regularly made aware of the security of personal data and more generally of computer security.
Thus, user authentication, management of authorisations and workstation security follow strict rules.
An IT charter signed by all staff members covers all of these points.
The protection of the information system is our priority. The data is stored in our own Data Center in France located at CARTÉGIE’s head office.
Our infrastructure is outsourced by our administrators who master all the security conditions ensuring total control of the data entrusted to us. Regular maintenance operations are carried out and we have a backup system.
The physical security of the premises is ensured by remote surveillance devices and the data is kept in a secure environment with restricted access.
All our data transfers are carried out using secure protocols such as HTTPS, SFTP or CFT. These protocols guarantee data encryption and, in the case of CFT, additional compression.
In the event of a data breach, a procedure has been put in place to notify our Partners as quickly as possible and to document the necessary elements to inform the supervisory authority if necessary.
In April 2019, Base Plus, a subsidiary of the IDAIA Group (formerly Groupe CARTÉGIE), is one of the first companies to obtain the Privacy Protection – Pact label, which confirms its commitment to respecting and securing personal data.