General Data Protection Regulation (GDPR) – SODIREL
SODIREL Group Data Use Charter
Sodirel, including its subsidiaries, is committed to respecting your privacy as well as the applicable data protection laws, in accordance with the French “Informatique et Libertés” Act No. 78-17 of 6 January 1978, as amended, and the European Regulation on Personal Data (GDPR).
The purpose of this Data Use Charter is to describe our methods for collecting and using personal data when you browse one of the Sodirel group’s websites or when you use our services and/or applications (mobile and tablet), where Sodirel or one of its subsidiaries acts as data controller.
This Charter is therefore intended to inform you of your rights and of our obligations regarding the protection of privacy and personal data.
Definitions
Cookies: When you visit one of the Websites, cookies may be automatically installed (with consent) on your browsing software by the Sodirel Group, one of its Processors, or one of its Partner companies. A cookie is a file that does not allow users to be identified (unless consent is given), but is used to record information relating to the user’s browsing of the website, including audience statistics and browsing history. The information contained in this file may only be analyzed or modified by the company that issues the Cookie. Cookies make it possible to suggest content, targeted advertising, etc.
Personal data: Personal data means any information relating to an identified natural person or to a natural person who can be identified, directly or indirectly, by reference to an identification number or to one or more elements specific to that person.
Browsing data: refers to data relating to the connection of a device to an electronic communications service at a given time.
SODIREL Group: refers to the company Sodirel, as well as its subsidiaries: Sodirel and Halte Terre Native.
Partner: refers to any company that has entered into a commercial partnership with one of the companies of the Sodirel Group.
Users: refers to any natural person who accesses the Websites or uses one of the Sodirel Group’s services and/or applications (mobile and tablet).
Websites: refers to the following websites:
– https://www.boutique-sodirel.re
– https://www.sodirel.re
– https://www.halteterrenative.re
Processor: refers to any company that may be required to access and process Personal Data or Browsing Data on behalf of the SODIREL Group, in accordance with the instructions given by the latter.
I. What is the legal framework?
The SODIREL Group complies with European and French standards regarding the protection of personal data. The rights and guarantees of our Users governed by this Data Use Charter are subject to the French “Informatique et Libertés” Act No. 78-17 of 6 January 1978, as amended, the Act “for confidence in the digital economy” (“LCEN”) No. 2004-575 of 21 June 2004 (Article L. 33-4-1 of the French Postal and Electronic Communications Code and Article L. 121-20-5 of the French Consumer Code), and Regulation (EU) No. 2016/679 on the protection of personal data.
II. What data and information are collected?
We may collect Personal Data when the User registers, in particular for one of our newsletters or one of the services offered on our Websites, when the User makes a purchase, participates in a game, a contest, or responds to a survey, and on the basis of our legitimate interest.
Ø Personal data collected via Cookies (and similar technologies):
Viewing and browsing our websites
Frequency of pages visited
Audience measurement on the device
Content viewed (programme name, viewing duration, etc.)
IP address of the device connected to the services
Geolocation area
Date, time and duration of a device’s connection to one of the services
Internet address of the referring page from which the device accessed the services
Personalization on the device
Type of the device’s operating system
Type and version of the browser used by the device
Possible download errors
Browser language used by the device
Media player settings (volume level selected during your browsing, the point at which you stopped)
Information on transactions carried out or initiated (products concerned, transaction type, etc.)
Mobile advertising identifiers
User sessions
JavaScript enabled in the browser used
Ø Personal data that you consent to communicate directly to us via a form or when registering for one of our services:
Title, surname, first name, age, address, country, gender, email address, date of birth, telephone number (landline and mobile), professional or private individual, occupation, interests, profile photo, tenant or homeowner.
Ø Special case: personal data of minors and banking data collected via the website https://www.halteterrenative.re
In accordance with the General Terms of Use of the Sodirel shop, minors may not create an account on the websites https://www.halteterrenative.re. Consequently, Halte Terre Native is not likely to collect the personal data of a minor.
When a user makes a purchase on the website https://www.halteterrenative.re, the processing of their bank data is carried out by its banking service provider: Paybox / Verifone. Halte Terre Native has no access to such bank data and is in no way responsible for its processing.
All operations on such data are carried out by Paybox / Verifone in compliance with the applicable regulations, in particular Act No. 78-17 “Informatique, Fichiers et Libertés” of 6 January 1978, as amended, and European Regulation No. 2016/679 on Data Protection. Paybox / Verifone is a PCI DSS Level-1 V3.2 certified provider and implements security measures detailed in its Personal Data Protection Charter.
III. How do we use your data?
Customer management:
contracts; orders; deliveries; invoices; accounting, and in particular the management of customer accounts; a loyalty program within one legal entity or multiple legal entities; customer relationship monitoring such as carrying out satisfaction surveys, handling complaints and after-sales service; selecting customers to conduct studies, surveys and product tests (unless the consent of the data subjects has been obtained under adequate and lawful conditions, these operations must not lead to the creation of profiles that could reveal sensitive data—racial or ethnic origins, philosophical, political, trade-union or religious opinions, sexual life or health).Prospecting:
management of technical prospecting operations (including, in particular, technical operations such as standardization, enrichment and deduplication);
selecting individuals to carry out loyalty, prospecting, survey, product testing and promotional actions. Unless the consent of the data subjects has been obtained under adequate and lawful conditions, these operations will not lead to the creation of profiles likely to reveal sensitive data (racial or ethnic origins, philosophical, political, trade-union or religious opinions, sexual life or health);
carrying out solicitation operations;Loyalty operations
Preparation of commercial statistics
Statistical analyses
Sale, rental or exchange of customer and prospect files
Organization of contests, prize draws or any promotional operation, excluding online gambling and games of chance subject to authorization by the Online Gambling Regulatory Authority;
Management of requests for the rights of access, rectification, objection, erasure and portability
Profiling
Management of individuals’ reviews of products, services or content
Audience measurement statistics;
Personalization of services;
Statistics enabling the sale of advertising space via programmatic marketing;
Building a customer database for commercial prospecting purposes
Informational newsletters
Management of unpaid invoices and disputes, provided that it does not relate to offences and/or does not result in the person being excluded from the benefit of a right, a service or a contract;
IV. For how long is your data retained?
Ø Data relating to the management of customers and prospects:
Personal data relating to customers will not be retained beyond the period strictly necessary for the management of the commercial relationship.
However, data enabling proof of a right or a contract to be established, or retained in order to comply with a legal obligation, may be subject to an intermediate archiving policy for a period not exceeding the duration necessary for the purposes for which it is retained, in accordance with the applicable provisions (including, but not limited to, those provided for by the French Commercial Code, the French Civil Code and the French Consumer Code). For this purpose, a dedicated archive database or a logical separation within the active database will be provided, after sorting the relevant data to be archived.
Personal data relating to a User will be retained for a period of three years from its collection by the SODIREL Group or from the last contact from the prospect (for example, a request for documentation or a click on a hyperlink contained in an email; however, opening an email cannot be considered a contact from the prospect).
At the end of this three-year period, the SODIREL Group may contact the data subject again to ask whether they wish to continue receiving commercial solicitations. In the absence of a positive and explicit response from the individual, the data will be deleted or archived in accordance with the applicable provisions, including those provided for by the French Commercial Code, the French Civil Code and the French Consumer Code.
Ø Identity documents:
In the event of exercising the right of access or rectification, data relating to identity documents may be retained for the period provided for in Article 9 of the French Code of Criminal Procedure (i.e., one year). In the event of exercising the right to object, such data may be archived for the limitation period provided for in Article 8 of the French Code of Criminal Procedure (i.e., three years).
Ø Management of opt-out lists for marketing communications:
When a person exercises their right to object to receiving marketing communications from the SODIREL Group, the information necessary to take account of that objection will be retained for a minimum of three years from the exercise of the right to object. Such data will in no event be used for purposes other than managing the objection right, and only the data necessary to take the objection into account will be retained (for example, the email address).
Ø Browsing Data:
Information stored in Users’ devices (e.g., cookies), or any other element used to identify Users and enable their traceability, will not be retained beyond thirteen months. New visits will not extend the lifespan of this information.
Raw traffic data associating an identifier will not be retained for more than thirteen months. Beyond this period, the data will either be deleted or anonymized.
V. Who can use the data?
Ø The SODIREL Group:
The companies of the SODIREL Group: Sodirel, Halte Terre Native.
Within the companies of the SODIREL Group, only authorized personnel have access to Personal Data and Browsing Data, solely within the scope of their duties, and they are subject to a strict confidentiality obligation.
Ø Processors:
Processors to whom the SODIREL Group engages for technical services, analytics solution providers, contest/survey services, commercial solicitations, newsletter distribution, etc.
Below is the list of Processors that may access Personal Data and Browsing Data, as well as their place of establishment and their contact email address so that you may exercise your rights with these entities:
Sodirel Processors:
Paybox / Verifone: management of online payments on the websites
Sendinblue: email marketing platform
WooCommerce / WordPress / PrestaShop: for the website
Divalto: management and processing of orders
Ø Third parties authorized by law:
Third parties within the limits of cases governed by law, such as judicial or administrative authorities.
VI. Transfers outside the European Union
The SODIREL Group may transfer Personal Data and Browsing Data to Halte Terre Native companies located in Réunion and to the company Sendinblue located in France.
Data transfers are governed by the European Commission’s standard contractual clauses or by binding corporate rules (BCR) or ad hoc contractual clauses previously recognized by the CNIL as ensuring a sufficient level of protection of privacy and of individuals’ fundamental rights, or by an international agreement such as the Privacy Shield for transfers to the United States.
Only data that is relevant with regard to the purpose pursued by the transfer may be transferred.
You may access the documents authorizing data transfers outside the European Union by simple request to the following address: contact@sodirel.re
VII. How do you consent to offers from our partners?
You requested to receive, by email and/or SMS and/or postal mail, offers relating to products or services provided by our Partners by checking the relevant box, in particular when subscribing to our Newsletters and the services offered on our Websites.
You therefore accepted that our Partners may hold your personal data and may send you their offers, until you withdraw your consent.
The SODIREL Group is not responsible for the processing of your Personal Data by our Partners once such data has been transmitted to them in accordance with your request. Our Partners are responsible towards you for the use they make of your Personal Data and for the respect of your rights, in particular the rights of rectification, correction, deletion, erasure and portability of such data.
VIII. What are your rights as a User?
You have various rights regarding the processing of your Personal Data: the right of access, inquiry and rectification, the right to be forgotten, the right to object, the right to data portability, and the right not to be subject to a decision based solely on automated processing.
Ø Right of access, inquiry, rectification and objection
Within the limits of the applicable regulations, you may request the rectification, completion, updating, objection to and erasure of your Personal Data by contacting us at the addresses indicated at the end of the Charter.
Ø Right to be forgotten
You have the right to the erasure of your Personal Data in various cases, in particular where:
the processing is not necessary with regard to the purposes for which the Personal Data was collected or processed;
the processing is unlawful;
you have withdrawn your consent to such processing of Personal Data and there is no other legal basis for the processing;
you objected to such processing and there are no overriding legitimate grounds justifying such processing;
there is a legal obligation under the legislation of the Union or of the Member States to which the SODIREL Group is subject, requiring the erasure of such Personal Data.
Pursuant to the provisions of Decree No. 2007-451 of 25 March 2007 amending Decree No. 2005-1309 of 20 October 2005 implementing Act No. 78-17 of 6 January 1978 relating to information technology, data files and civil liberties, your request to exercise one of your rights must be accompanied by a photocopy of an identity document bearing the holder’s signature. Your request must also specify the email address to which the response should be sent.
The SODIREL Group will respond within one month following receipt of the request. This period may be extended by two months depending on the complexity and number of requests.
Ø Right to data portability
You have the right to data portability, meaning to receive the Personal Data that you have provided to us in a structured, commonly used and machine-readable format, and to transmit it to another data controller. To do so, please contact us at the addresses indicated at the end of the Charter.
IX. Who to contact?
To exercise all of these rights, you may write to:
For the website and service published by Sodirel: contact@sodirel.re
For the website and service published by Halte Terre Native: hello@halteterrenative.re
X. How to contact the CNIL?
If you have a question or difficulty, or wish to file a complaint, you may contact the CNIL at the following address:
3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07
Tel: 01 53 73 22 22