EUROPA BOOKING & SERVICES PRIVACY POLICY

September 2023

1. GENERAL PROVISIONS

1.1. PREAMBLE

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals regarding the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter referred to as the GDPR) sets out the legal framework applicable to the processing of personal data.

The GDPR strengthens the rights and obligations of data controllers, data processors, data subjects and data recipients.

Subsequently, and to implement the changes of the RGPD, the law n°78-17 of 6 January 1978 known as the Data Protection Act was amended by the law n°2018-493 of 20 June 2018 by the ordinance n°2018-1125 of 12 December 2018 on data protection.

The regulations applicable to the protection of personal data thus include the following texts:

  • the RGPD
  • the French Data Protection Act (Loi Informatique et Libertés), as updated by the aforementioned texts.
  • the recommendations of the CNIL.

Article 12 of the RGPD requires that data subjects be informed of their rights in a concise, transparent, understandable, and easily accessible manner.

This privacy policy covers the personal data of customers making a hotel reservation with Europa Booking & Services.

1.2 PURPOSE

The purpose of this policy is to meet the obligation to provide information on the processing of personal data of customers.

1.3. GENERAL PRINCIPLES

No processing shall be carried out on your data if it does not relate to personal data collected by or for its services or processed in connection with its services and if it does not comply with the general principles of the GDPR.

Any new processing, modification or deletion of existing processing will be made known to the customers' contact persons by means of an amendment to this policy.

2. IDENTIFICATION OF TREATMENTS

2.1. CATEGORIES OF DATA COLLECTED AND ORIGIN OF THE DATA

The data collected are:

Non-technical data (depending on the use case)

  • Identity of the contact person(s) in charge of a file (e.g., title, surname, first name)
  • Professional details of the contact person(s) (e.g., email, postal address, fixed or mobile telephone number, fax number)
  • Professional information of the contact person(s) (e.g., position, grade, function)
  • Financial data (bank card, RIB, etc.)
  • Transaction data (amount and date of transactions, etc.).

Technical data (depending on use cases)

  • Identification data (IP)
  • Connection data (logs in particular)
  • Acceptance data (click)
  • Location data
  • Traceability data (access to the places where the event takes place)
  • Cookies

2.2. PURPOSES OF THE PROCESSING

Pre-contractual exchanges
The data of customers' contact persons is processed for hotel reservation purposes by Europa Booking & Services.

Contract and follow-up of the contract
The data of customers' contact persons is processed as part of the monitoring of contractual relationships for hotel reservations by Europa Booking & Services.

Invoicing, payment, and accounting
The data of the customers' contact persons is used for invoicing and payment of the services provided.

Organiser relationship management
The data of the customers' contact persons is processed to communicate with them in the context of questions that they may ask during the current or future execution of a contract with Europa Booking & Services.

Sending of canvassing, newsletters, or news feeds
The data of the customers' contact persons is processed for the purposes of commercial canvassing, sending of newsletters or news feeds.

Production of statistics

Customer data may be subject to statistics.

2.3. RETENTION PERIODS

The duration of data retention is defined regarding legal and contractual constraints and, failing that, according to needs and according to the following principles:

Contracts concluded with customers
5 years from the end of the contractual relationship
10 years for contracts concluded by electronic means over 120 euros

Commercial correspondence (order forms, delivery notes, invoices, etc.)
10 years from the end of the accounting period

Data processed for canvassing purposes
3 years from the date of collection of the data or the last positive act (request for documentation, click on a hypertext link, etc.)

Technical data
1 year from collection

Banking data
Deleted as soon as the transaction is completed, unless expressly agreed by the customer.
If the transaction is disputed: retention for 13 months in archiving following the debit date.

Cookies
Cookies are kept for 13 months from the time they are deposited on your terminal, starting from the last time you use the website or the mobile application.

The periods indicated are necessarily extended for the legal period of prescription as evidence in the event of litigation. In the latter case, the retention period is extended for the duration of the dispute.

Once the time limits have expired, the data are either deleted or kept after being anonymised, particularly for statistical purposes. They may be kept in the event of pre-litigation and litigation.

Customers and prospects are reminded that deletion or anonymisation are irreversible operations that do not allow data to be restored later.

2.4. LEGAL BASIS

The processing of the data of contact persons with the customers as presented above is based on pre-contractual or contractual execution.

When necessary, the consent of the people concerned is obtained.

2.5. RECIPIENTS OF THE DATA

The recipients of the data are the natural or legal persons who receive the personal data. Data recipients may therefore be employees of Europa Booking & Services as well as external organisations.

The data collected and processed in the context of relations with the customers are only accessible to authorised internal and external recipients, and to the following recipients:

  • the staff of the competent departments authorised to manage relations with the customers' contacts and their line managers.
  • the staff of the support services, i.e., the administrative services, the logistics and IT services and their line managers
  • service providers or support services (e.g., IT service provider)
  • the competent authorities if we are required to share certain data with judicial officers, departments responsible for internal control procedures, etc.
  • the hotels chosen to accommodate the beneficiaries of the reservations made.

With regard to internal recipients, we decide which recipient will be able to have access to which data according to an authorization policy and we ensure that they are subject to an obligation of confidentiality.

With regard to external recipients, we inform you that the personal data of customer contacts may thus be communicated to certain of our service providers or to any authority legally authorized to know it (tax and social authorities in particular).

In this case, Europa Booking & Services is not responsible for the conditions under which the personnel of these authorities have access to and use the data.

3. MANAGEMENT OF PEOPLE'S RIGHTS

3.1. RIGHT OF OPPOSITION

Customers have the right to object to any commercial prospecting by post, telephone, or electronic means, including profiling to the extent that it is linked to such prospecting.

In the case of prospecting by electronic means, it will be possible at any time for customers to oppose such prospecting either by clicking on the link in the sending email, or by modifying their preferences. account on our websites.

By SMS, it is possible to oppose any prospecting by sending “stop” to the number appearing in the message received.

3.2. RIGHT OF ACCESS AND RIGHT TO COPY

Customers have the right to ask us whether we are processing data about their members (staff, managers, etc.) in the context of contracts concluded with them or in the context of marketing messages sent to them.

They may also request a copy of their members' data being processed.

However, in the event of a request for additional copies, the customers may be required to bear the cost of the new copy.

If requests from customers are made electronically, the information requested will be provided in a commonly used electronic form, unless otherwise requested.

The customers are informed that this right of access may not relate to confidential information or data or to information which may not be disclosed by law.

The right of access must not be exercised in an abusive manner, i.e., on a regular basis with the sole aim of destabilising the proper performance of our services.

3.3. RIGHT OF RECTIFICATION

Customers have the right to request the rectification of certain data concerning their personnel that are obsolete or erroneous.

3.4. RIGHT TO ERASURE

The customers may only invoke the right to erasure of their staff data in the following cases:

  • the contract has been terminated and is no longer in effect
  • staff members whose data are processed and who are no longer employed by one of the customers and who therefore wish to be deleted from the customers' database.

3.5. RIGHT TO LIMITATION

The customers are informed that this right is not intended to apply to the extent that the conditions required by the applicable regulations are not fulfilled regarding the processing of the personal data of their staff members. 

3.6. RIGHT TO PORTABILITY

Customers and prospects benefit from the right to portability of their data in the case of data communicated by customers or prospects themselves, on online services offered by the person to whom the request is made and for the purposes based on the sole consent of individuals or the execution of the contract.

In this case the data will be communicated in a structured, commonly used, and machine-readable format.

3.7. AUTOMATED INDIVIDUAL DECISION

No processing is based on automated individual decisions.

3.8. POST-MORTEM LAW

Customers are informed that they have the right to formulate directives concerning the conservation, erasure, and communication of their post-mortem data.

The communication of specific post-mortem directives and the exercise of their rights are carried out by email to the address dpo-ebs@racine.eu

3.9. OPTIONAL OR OBLIGATORY NATURE OF ANSWERS

Customers are informed on each personal data collection form of the mandatory or optional nature of the responses by the presence of an asterisk.

3.10. RIGHT OF USE

Customer data is subject to a right to use and process their personal data for the purposes set out above.

However, enriched data which is the result of processing and analysis work, otherwise called “enriched data”, remains the exclusive property of Europa Booking & Services (usage analysis, statistics, etc.).

3.11. EXERCISE OF INTERLOCUTORS' RIGHTS

To exercise their rights, customers should contact us at dpo-ebs@racine.eu

4. SUPPLEMENTARY PROVISIONS

4.1. SUBCONTRACTING

We may use any subcontractor of our choice to process the personal data of contact persons with the customers.

In this case, we shall ensure that the subcontractor complies with its obligations under the GDPR.

We undertake to sign a written contract with all our subcontractors and impose the same data protection obligations on them as we impose on ourselves. In addition, we reserve the right to audit our processors to ensure compliance with the provisions of the GDPR.

4.2. REGISTER OF PROCESSING

We undertake to maintain a register of all processing activities carried out where required by law.

This register is a document or application allowing us to list all the processing activities carried out by Europa Booking & Services.

We undertake to provide the CNIL, on first request, with information enabling it to verify the compliance of the processing operations with the data protection regulations in force.

4.3. SECURITY MEASURES

We implement such physical or logical technical security measures as we consider appropriate to protect against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of data.

These measures mainly include:

  • management of authorisations to access data
  • the use of security protocol or solutions.
  • encryption products
  • firewall
  • securing the Wi-Fi network and remote access,
  • https security access
  • security patch policy
  • Conducting external audits
  • adoption of an information systems security policy

In any event, we undertake, in the event of a change in the means of ensuring the security and confidentiality of personal data, to replace them with means of superior performance. No change may lead to a reduction in the level of security.

4.4. DATA BREACH

Any data breach that we may suffer will be notified to the CNIL under the conditions prescribed by the regulations on personal data.

Contact persons for the customers are informed of any data breach that could pose a high risk to their privacy.

4.5. CROSS-BORDER FLOWS

Europa Booking & Services reserves the right to implement cross-border flows outside the EU of the data it processes.

In such a case, Europa Booking & Services will ensure that the rights of the customers are respected and will, if necessary, sign one or more contracts allowing it to control these flows with the recipient country or countries.

5. CONTACTS

5.1. DATA PROTECTION OFFICER

Europa Booking & Services has appointed a Data Protection Officer.

The contact details of the data protection officer are as follows:

Name: Maître Eric Barbry, Cabinet Racine Avocats
E-mail address: dpo-ebs@racine.eu
Phone: +33 1 44 82 43 00

In the event of new processing of personal data, Europa Booking & Services will first refer the matter to the Data Protection Officer.

If the customers wish to obtain specific information or wish to ask a specific question, they may refer the matter to the Data Protection Officer, who will give them an answer within a reasonable period regarding the question asked or the information required.

In the event of problems with the processing of personal data, the customers may refer the matter to the appointed Data Protection Officer.

5.2. RIGHT TO LODGE A COMPLAINT WITH THE CNIL

Customers have the right to lodge a complaint with a supervisory authority, namely the CNIL in France, if they consider that the processing of personal data concerning them does not comply with European data protection regulations, at the following address:

CNIL – Service des plaintes
3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07

Phone: +33 1 53 73 22 22

5.3. EVOLUTION

This policy may be modified or amended at any time in the event of legal or jurisprudential developments, decisions, and recommendations of the CNIL, or changes in usage.

Any new version of this policy will be brought to the attention of the customers by any means we choose, including electronically (e.g., distribution by e-mail or online).

5.4. FOR FURTHER INFORMATION

For further information, you can contact the following department: dpo-ebs@racine.eu