PERSONAL DATA PROCESSING POLICY
Version as of 21 April 2022
Pursuant to Act No. 78-17 of 6 January 1978, as amended, relating to information technology, files and freedoms, and the European Protection Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, the Company informs any person accessing the services offered on the Site (hereinafter, the "User") of its commitment to respect the confidentiality, integrity and security of the data that the User will be led to communicate to it, in particular via the website www.aquachiara.com (hereinafter, the "Site").
Any personal data identifying the User directly (in particular their surname, first name, postal, electronic or telephone details) or indirectly are considered confidential data and are treated as such, subject to any changes to the legal framework on the qualification of personal data (hereinafter, the "Personal Data").
-
Identification of the data controller
The data controller who collects and manages the Users’ data on the Site is the Company
-
Personal data that may be collected
When browsing the Site and using the various services offered by the Company, the User consents to the Company collecting the following categories of data:
- Personal identification data: surname, first name, postal address, e-mail address, telephone number, nature of activity (company, private individual) and information for assessing consumption;
- Subscription to the Company's newsletter;
- Subscription to special offers from partners.
The User undertakes to provide up-to-date and valid Personal Identification Data as part of the information requested on the Site and guarantees not to make any false statements or provide any erroneous information.
-
How Personal Data is collected
The User consents to the collection of their Personal Data by the Company when they:
- Contact form;
- Online purchases;
- Subscription to the Company's newsletter;
- Subscription to special offers from partners
-
Legal basis for the collection and processing of Personal Data
Users' Personal Data are collected on the following legal grounds:
- The specific, free and informed consent of the User (in particular for the subscription to the newsletter);
- Fulfilment of a legal obligation incumbent on the Company;
- The performance of a contract between the Company and the User;
- The legitimate interest of the Company.
-
Purpose of processing Personal Data
Mandatory Personal Data are those data that are strictly necessary for the processing or requests of the User. In the absence of such data, the User is informed that certain services offered by the Company may not be provided. The compulsory nature of the information requested is indicated to the User at the time of collection.
Optional Personal Data are data collected by the Company in order to better know the User and to improve their browsing experience on the Site.
Personal Data are collected and processed for the following purposes:
- Contact and support;
- Commercial prospecting;
- Improvements to services;
- Subscription to the Company's newsletter;
- Registration for special offers from partners.
Users are informed that, subject to their prior, specific, positive consent, the Personal Data transmitted may be transferred to the Company's commercial partners so that the latter may inform Users about their offers and services.
-
Duration of retention of Personal Data
Personal data is deleted or archived after a period of three (3) years following the last use of the Site by the User.
Such data may also be kept for a period of ten (10) years thereafter in the archive, under restricted access, in order to (i) comply with the Company's legal and regulatory obligations, and/or (ii) to enable it to assert a legal claim, before being permanently deleted.
-
Recipient of the Personal Data
The User's Personal Data is intended for persons duly authorised to process it within the Company, in particular, and depending on the nature of the processing and the type of data, the persons in charge of the customer service, marketing and IT departments.
In the course of carrying out its activities and providing its services, the Company may use subcontractors.
These:
- Process the User's Personal Data on its behalf and on its instructions;
- Present sufficient guarantees regarding the implementation of appropriate technical and organisational measures to ensure the security and confidentiality of the User's data.
In cases where the Company has recourse to subcontractors located in countries offering levels of protection that are not equivalent to the level of protection of personal data in the European Union, the Company undertakes to ensure that the said transfer is governed by the data protection agreements put in place between the European Union and the countries of destination, or by the signing of standard contractual clauses established by the European Commission, or by the implementation of internal company rules ("BCR").
The User's Personal Data (in particular the email address) may be transmitted to partners for electronic commercial prospecting campaigns, only if the User has consented to this. The User may withdraw their consent at any time by unchecking the box "Receive special offers from our partners".
-
Measures implemented by the Company to ensure the security and confidentiality of Personal Data
The Company undertakes to process Personal Data in a manner that is:
- Lawful;
- Fair;
- Transparent;
- Proportionate;
- Relevant;
- Within the strict framework of the aims pursued and announced;
- For the duration necessary for the treatments implemented;
- In a secure manner.
The Company implements and maintains appropriate technical and organisational measures to ensure the security and confidentiality of Personal Data, preventing them from being distorted, damaged or communicated to unauthorised third parties.
-
Users' Rights to Personal Data
It is possible for the User, upon written request, to access the Personal Data concerning them, to ask for their modification or rectification, or to demand that they no longer appear in the Company's database.
Under the right of access, the User is entitled, in accordance with Article 15 of the GDPR, to question the Company in order to obtain: (i) disclosure of their Personal Data in an accessible form; (ii) confirmation that their Personal Data is or is no longer being processed; (iii) disclosure of the purposes of the processing, the categories of Personal Data processed and the recipients to whom their Personal Data is disclosed; and (iv) the length of time their Personal Data is retained or the criteria used to determine that length of time.
In accordance with Article 16 of the GDPR, the right of rectification gives the User the right to demand that the Company rectify, complete or update their Personal Data when it is inaccurate, incomplete, ambiguous or out of date.
Under the conditions provided for in Article 17 of the GDPR, the User has a right to the deletion of their Personal Data, allowing them to ask the Company to delete their Personal Data as soon as possible, in particular when they are no longer necessary with regard to the purposes for which they were collected.
The User also has the right to limit the processing of their Personal Data in the cases listed in Article 18 of the GDPR. They may thus request that their personal data be kept only for the purposes of:
- To verify the accuracy of the Personal Data they are disputing;
- To be used in the context of the establishment, exercise or defence of their rights in court, even if the Company no longer has any use for them;
- To verify whether the legitimate reasons pursued by the Company prevail over their own in the event that they object to processing based on the Company's legitimate interest;
- To fulfil their request to limit the use of their data, rather than to erase it, in the event that the processing of their data is unlawful.
In the circumstances provided for in Article 20 of the GDPR, the User has a right to the portability of their Personal Data, allowing them to recover from the Company the Personal Data they have provided, in a structured, commonly used and machine-readable format, for the purpose of transmitting it to another data controller.
In accordance with Article 21 of the GDPR, the User has the right to object, at any time, to the processing of their Personal Data for commercial prospecting purposes.
In accordance with Article 85 of Law 78-17 of 6 January 1978 on information technology, files and freedoms, the User may define specific directives relating to the conservation, deletion and communication of their personal data post-mortem. These specific directives will only concern the processing carried out by the Company and will be limited to this area.
To exercise their rights of access, rectification, deletion, limitation, portability and opposition as mentioned above, Users should send their request by e-mail to the following address: info@aquachiara.com and/or by post to the following address Aquachiara, 17 rue Burq, 75018 Paris France.
The Company will provide the person exercising one of these rights with information on the measures taken as soon as possible and in any event within one (1) month of receipt of the request. This period may be extended by two (2) months, in view of the complexity and number of applications. The Company may verify the identity of the person before proceeding with the request.
If the Company does not comply with the request, it will inform the person as soon as possible, and at the latest within one (1) month of receipt of the request, of the reasons for its inaction and of the possibility of lodging a complaint with a supervisory authority and of lodging a judicial appeal.
The exercise of these rights is free of charge. However, in the event of a manifestly unfounded or excessive request, the Company reserves the right to (i) charge a fee reflecting administrative costs, or (ii) refuse to comply with such requests.
-
Remedies for breach of Personal Data
In the event of a breach of its Personal Data that may pose a risk to its rights and freedoms, the Company shall notify the CNIL of the breach as soon as possible and, if possible, no later than seventy-two (72) hours after becoming aware of it. The Company will also inform the User as soon as possible in accordance with the provisions of Article 34 of the GDPR.
Without prejudice to any other administrative or judicial remedy, the User who considers that the processing of their Personal Data constitutes a violation of the provisions of the legislation in force may lodge a complaint with a competent supervisory authority such as the Commission Nationale de l'Informatique et des Libertés (CNIL).
-
Request for information
For any question concerning the processing of their personal data and the exercise of their rights, Users may contact the dedicated service by e-mail at the following address: info@aquachiara.com and/or by post at the following address: Aquachiara, 17 rue Burq, 75018 Paris France.