1. Who are we?
1.1 Data Controller
The following information is provided so you may be made aware of the commitments regarding personal data protection of the Compagnie des Fromages & RichesMonts, whose registered office is located at 5 rue Chante-Coq, 92800 Puteaux, France, which acts as data controller for the processing of personal data referred to in this document, hereinafter referred to as “the Data Controller” or “We”.
1.2 Our data protection policy manager
The Data Controller has appointed a person responsible for the data protection policy who you can contact:
- by email at the following address: donneespersonnelles@cf-r.com
or
- by post at the following address: CF&R, Service qualité, BP 80085, 14503 Vire Cedex, France
The data protection officer can be contacted in French or English at the following address: dpo@savencia.com.
2. The personal data we process
As part of the processing of personal data, the Data Controller collects and processes the following information:
- Surname, first name, company, email address, telephone number, IP
3. The purposes and legal grounds for our data processing
3.1 The purposes of our processing
The processing we carry out is to ensure:
- Website content management;
- Audience analysis;
- Management of requests from the contact form;
- Statistics and reporting
3.2 The legal grounds for our processing
We only carry out data processing if at least one of the following conditions is met:
- your consent to the processing operations has been obtained;
- the existence of our legitimate interest, or that of a third-party, justifies that we process the personal data concerned;
- the performance of a contract binding us to you requires us to process the personal data concerned;
- we are bound by legal and regulatory obligations that require the processing of the personal data concerned.
4. Recipients of your data
The personal data we collect, as well as that collected subsequently, is intended for us in our capacity as Data Controller. We ensure that only authorised persons have access to this data. Our subcontractors/service providers located in France, Europe or the United States may receive this data in order to perform the services required of them. Your personal data may be reconciled, pooled or shared between all the parent, sister and subsidiary entities of the Data Controller. It may be communicated to these entities for the purposes referred to in this information notice. These operations are carried out using instruments that comply with the applicable regulations and that are capable of ensuring that your rights are protected and respected.
5. Transfer of your data
We transfer your personal data to partners located in the United States. Each of these transfers is governed by legal instruments that comply with the applicable legal framework.
6. The periods for which we keep your data
The retention periods we apply to your personal data are proportionate to the purposes for which it was collected. Consequently, we organise our data retention policy as follows:
- Purpose of processing: Cookies
- Retention period: Refer to the Cookie Policy
- Cookies: 13 months from their installation on your device
- In the event of the exercise of rights of access, rectification, erasure, restriction, data relating to identity documents and information enabling these rights to be taken into account: 1 year from receipt of the request.
- If the right to object is exercised, the data relating to identity documents and information making it possible to take into account the right to object: 6 years from receipt of the request.
- Requests made using the contact form: During the processing of the request plus the statutory limitation period.
7. Your rights
7.1 Procedure for exercising your rights
You may exercise your rights
- by email at the following address: donneespersonnelles@cf-r.com
or
- by post at the following address: CF&R, Service qualité, BP 80085, 14503 Vire Cedex, France
To do this, you must clearly indicate your first name(s) and surname and the address to which you want the response to be sent.
In principle, you may exercise all your rights free of charge. However, in terms of the right of access, you may be required to pay reasonable fees based on administrative costs for any copies of the data that you request.
With regard to the right to be informed, the Data Controller will not be obliged to follow up on this if you are already in possession of the information that you request.
The Data Controller will inform you if they cannot comply with your requests.
These rights are not absolute and are subject to various conditions in virtue of:
- the applicable local personal data protection or privacy law; and
- the laws and regulations applicable to you.
The Data Controller wishes to inform you that failure to complete your data or making any changes to your data may have consequences for the processing of certain requests in the course of the contractual relationship and that your request in connection with the exercise of your rights will be retained for monitoring purposes for 6 years concerning the exercise of the right to object and 1 year concerning the exercise of the other rights.
All your rights are detailed below.
7.2 Your right to be informed
You acknowledge that this information notice informs you of the purposes, legal framework, interests, recipients or categories of recipients with whom your personal data is shared, and the possibility of a transfer of data to a third-party country or an international organisation.
In addition to this information and in order to ensure fair and transparent processing of your data, you declare that you have received additional information concerning:
- the retention period for your personal data;
- the existence of rights accorded to you and how to exercise them.
If we decide to process data for purposes other than those indicated, all information relating to these new purposes will be communicated to you.
7.3 Your right to access and rectify your data
By exercising this right, you receive confirmation that your personal data is or is not being processed and, when it is, you have access to your data as well as information concerning:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients, in particular recipients established in third-party countries;
- where possible, the planned retention period for personal data or, where this is not possible, the criteria used to determine this period;
- the existence of the right to request the rectification or erasure of your personal data from the Data Controller, the right to request restriction of the processing of your personal data and the right to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- information relating to the source of the data when it is not collected directly from the data subjects;
- the existence of automated decision-making, including profiling, and with regard to profiling, useful information concerning the underlying logic, as well as the significance and expected consequences of this processing for the data subjects.
You may ask us to correct or supplement your personal data if it is inaccurate, incomplete, ambiguous or obsolete.
7.4 Your right to erase your data
You may ask us to erase your personal data for one of the following reasons:
- the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
- you are withdrawing the previously given consent;
- you object to the processing of your personal data where there is no legal reason for such processing;
- the processing of personal data does not comply with the provisions of applicable legislation and regulations;
- your personal data was collected when you were a minor.
However, exercising this right will not be possible when the retention of your personal data is necessary with regard to the law or regulations and in particular for the establishment, exercise or defence of legal rights.
7.5 Your right to restrict data processing
You may request that processing of your personal data be restricted in the cases provided for by law and regulation.
7.6 Your right to object to data processing (unsubscribe)
You have the right to object to the processing of your personal data where the processing is based on the legitimate interest of the Data Controller.
In the event of direct communication, this right may be exercised by any means, including by clicking on the unsubscribe links at the bottom of communications sent.
7.7 Your right to data portability
You have the right to the portability of your personal data.
The data on which this right may be exercised is:
- only your personal data, which excludes anonymised personal data or data that does not concern you;
- declarative personal data as well as operational personal data;
- personal data that does not infringe the rights and freedoms of third parties such as that protected by business secrecy.
This right is limited to processing based on consent or a contract as well as to personal data that you have personally generated.
This right does not include derived or inferred data, which is personal data created by the Data Controller.
7.8 Your right to withdraw your consent
Where the data processing we carry out is based on your consent, you may withdraw this consent at any time. We then cease to process your personal data, without any previous transactions for which you had given your consent being called into question.
7.9 Your right to lodge a complaint
You have the right to lodge a complaint with the competent supervisory authority, without prejudice to any other administrative or judicial appeal.
7.10 Your right to define post-mortem guidelines
You have the option of setting guidelines for the retention, erasure or communication of your personal data after your death with a trusted, certified third party responsible for enforcing the wishes of the deceased, in accordance with the requirements of the applicable legal framework.
8. Security of your data
We attach great importance to the protection, integrity and confidentiality of your data. We have therefore implemented technical and organisational measures to ensure an appropriate level of security in relation to the risk and thus protect your data against any loss, alteration, access or disclosure to unauthorised third parties.
However, despite our efforts, no security measure can protect against all risks of misappropriation or piracy, for which we, as Data Controller, cannot be held liable.
In the event of a breach of personal data, we undertake to notify CNIL (the French Data Protection Authority) in accordance with the regulations in force on the protection of personal data. In the event that a data breach presents a high risk to your rights and liberties, we will inform you as soon as possible and always pursuant to the conditions provided for by the regulations in force relating to the protection of personal data.