POLITIQUE DE CONFIDENTIALITÉ
This Confidentiality Policy applies, without restriction or reservation, between the company NBP PARFUMS, a simplified joint stock company with capital of €15,425.00, registered with the Paris RCS under number 951 541 630, whose head office is located at 8 rue du Château Landon 75010 PARIS and having VAT number FR68951541630 (hereinafter the “ Data Controller ”) and any person browsing and/or placing an order for products on the website www.notesdebasdepaje.com (hereinafter the “ Person concerned ”).
Its purpose is to provide information concerning the manner in which the Data Controller collects and processes the Data of the Data Subject, in accordance with the legislation in force and in particular European Regulation No. 2016/679 and Law No. 78- 17 (hereinafter referred to as the “ Legislation ”), in relation to the website www.notesdebasdepaje.com (hereinafter referred to as the “ Site ”).
1) Definitions
- Supervisory authority means the National Commission for Information Technology and Liberties (CNIL), the French independent public authority regulating data protection;
- Consent means any manifestation of will, free, specific, informed and unequivocal by which the Data Subject accepts, by a declaration or by a clear positive act, that Data concerning him or her are subject to Processing by the Data Controller.
- Recipient means any natural or legal person, public authority, service or other body which receives communication of the Data, whether or not a Third Party. However, public authorities who are likely to receive communication of the Data, in particular as part of an investigative mission, are not considered Recipients within the meaning of this definition.
- Data means any information relating to the Data Subject.
- File designates any set of Data structures accessible according to determined criteria, whether this set is centralized, decentralized or distributed functionally or geographically.
- Legislation means any law and regulation relating to Data protection, and in particular European Regulation No. 2016/679 and Law No. 78-17.
- Browsing refers to the consultation, knowledge, ordering and/or purchase of Products on the Site by the Person concerned.
- Data subject means any natural person who browses the Data Controller's Site, as long as they can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, data location, an online identifier, or one or more specific elements specific to their physical, physiological, genetic, psychological, economic, cultural or social identity.
- Products means the products offered for sale on the Site by the Data Controller to the Data Subject.
- Pseudonymization means the processing of Data in such a way that it can no longer be attributed to the Data Subject without recourse to additional information.
- Data controller means the company NBP PARFUMS, a simplified joint stock company with capital of €15,425.00, registered with the Paris RCS under number 951 541 630, whose head office is located at 8 rue du Château Landon 75010 PARIS and having as VAT number FR68951541630, which alone or jointly with others, determines the purposes and means of the Processing.
- Site designates the infrastructure developed by the Data Controller according to the computer formats usable on the Internet including data of different natures, and in particular texts, sounds, fixed or animated images, videos, databases, intended to be consulted by the Data Subject to find out about and order Products ( www.notesdebasdepaje.com ).
- Processor means any natural or legal person, public authority, service or body other than the Data Controller which processes the Data on behalf of the Data Controller.
- Third party means any natural or legal person, public authority, service or other body other than the Data Controller, the Subcontractor and the persons who, placed under the direct authority of the Data Controller or the Subcontractor, are authorized to process the Data, and in particular the delivery service providers of the Products.
Processing means any operation or set of operations carried out or not using automated processes and applied to the Data or sets of Data, such as collection, recording, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, alignment or interconnection, limitation, erasure or destruction.
2) Principles relating to Processing
In accordance with the Legislation, the Data Controller undertakes to respect the following principles for each Processing:
- Legality;
- Loyalty ;
- Transparency;
- Limitation of purposes;
- Data Minimization;
- Exactness ;
- Limitation of retention;
- Integrity ;
- Confidentiality ;
- Responsibility.
3) Data processed
As part of its Browsing on the Site, the Data Controller is required to collect and process a certain amount of Data, and in particular:
- Personal information (surname, first name, postal address, email address, telephone number, date of registration and unsubscription to the Data Controller's newsletter, messages exchanged with the Data Controller);
- Banking information (means of payment, payment history);
- Information about your order (product ordered, delivery address, delivery tracking number, order price, purchase and delivery history);
- Technical information (browsing behavior on the Site, IP address, products added to the basket, collection of consent).
4) Context of the Processing
The Data Subject's Data may be collected and processed by the Data Controller on different occasions, and in particular:
- Connection to the Site;
- Purchase of Products on the Site;
- Contacting the Data Controller on the Site;
- Subscription to the Data Controller’s newsletter;
- Navigation on the Site.
5) Purpose of Processing and Storage of Data
a) Management of Product purchases and deliveries
- Legal basis for Processing : Contract
- Data concerned : First name, last name, email address, postal address, telephone number, delivery address, order placed, delivery tracking number, Products purchased, payment method, order and delivery history
- Shelf life: 3 years from the last purchase of Products
b) Management of invoicing and accounting standards
- Legal basis for Processing : Legal obligation
- Data concerned : First name, last name, email address, postal address, telephone number, delivery address, order placed, delivery tracking number, Products purchased, means of payment
- Shelf life: 10 years from purchase of the Product
c) Management of commercial relationships
- Legal basis for Processing : Consent of the Data Subject
- Data concerned : First name, last name, email address, postal address, telephone number, purchase and delivery history, exchanges with the Data Controller, collection of consent
- Retention period: 3 years from the last contact by the Data Subject
d) Commercial prospecting and newsletter management
- Legal basis for Processing : Consent of the Data Subject OR legitimate interest of the Data Controller to promote the Products (in the event of prior purchase of Products by the Customer)
- Data concerned : Email address, first name, last name, telephone number, collection of consent (if applicable)
- Retention period: 3 years from the last contact by the Data Subject
e) Complaints and customer service management
- Legal basis for Processing : Legitimate interest of the Data Controller to improve its Products and respond to the requests of its Customers.
- Data concerned : First name, last name, email address, postal address, telephone number, purchase history, exchange history
- Shelf life: 5 years
f) Securing and improving the Site
- Legal basis for Processing : Legitimate interest of the Data Controller in managing the Site, securing and administering the Site, preventing fraud and malicious acts.
- Data concerned : IP address, Browsing data
- Shelf life: 13 months
g) Statistics
- Legal basis for Processing : Legitimate interest of the Data Controller in improving the Site
- Data concerned : IP address, Browsing data
- Shelf life: 6 months
The Data Controller reserves the right to anonymize the data that is the subject of Processing before deleting it.
The anonymized data may then be processed for statistical purposes.
6) Data Recipient
The Data Controller is the sole Recipient of the Data.
The Data Controller may, however, communicate to any Third Party the Data which is the subject of Processing when a legal obligation to do so exists or when the Data Controller considers in good faith that this is necessary to:
- Respond to any complaints against him;
- Comply with the requirements of the judicial and/or administrative order;
- Enforce any contract to which the Data Subject is a party;
- Safeguard the vital interests of any natural person;
- The execution of a mission of public interest.
In the event of a purchase from the Data Controller by a Third Party, the Data Controller reserves the right to share the Data with the Third Party purchaser subject to compliance with this Confidentiality Policy by this Third Party.
7) Rights of the Data Subject over the Data
The Data Subject has a certain number of rights over the Data which he or she can assert, unless there is an applicable legislative or regulatory exception, by making a request to the Data Controller at the following address:
PAJE FOOTNOTES
8 rue du Château Landon 75010 PARIS
If there is reasonable doubt about your identity, the Data Controller may ask you to attach a copy of an official identity document to support your request.
Requests will be processed as soon as possible and at the latest in accordance with the deadlines set by the Legislation.
7.1) Right of access
The Data Subject has the right to obtain from the Data Controller confirmation that Data are or are not processed and, when they are, access to said Data as well as the following information:
- The purposes of the processing;
- Categories of Data;
- The Recipients or categories of Recipients to whom the Data have been or will be communicated, in particular Recipients who are established in third countries or international organizations;
- When possible, the duration of retention of the Data or, when this is not possible, the criteria used to determine this duration;
- The existence of the right to request from the Data Controller the rectification or erasure of Data, or a limitation of the processing of the Data, or the right to object to this processing;
- The right to lodge a complaint with a supervisory authority;
- When the Data is not collected from the Data Subject, any available information as to their source;
- The existence of automated decision-making, including profiling, and, at least in such cases, meaningful information regarding the underlying logic, as well as the significance and intended consequences of such processing for the Data Subject .
The Data Controller provides a copy of the Data subject to Processing and reserves the right, in return for providing this copy, to pay a reasonable fee based on administrative costs for any additional copies requested by the Person. concerned.
7.2) Right of erasure and rectification
The Data Subject has the right to obtain from the Data Controller the rectification and/or erasure of inaccurate or obsolete Data as soon as possible unless a situation to the contrary prevents the exercise of this right, and in particular:
Exercise of the right to freedom of expression and information;
Compliance with a legal obligation;
The public interest in the field of public health, archives, scientific or historical or statistical research;
The establishment, exercise or defense of legal rights.
7.3) Right to object
The data subject has the right to object at any time, for reasons relating to his or her particular situation, to Data Processing based on the performance of a task carried out in the public interest or the need for the legitimate interests of the data subject. Data controller.
The Data Controller then undertakes to no longer process the Data, unless it demonstrates that there are legitimate and compelling reasons for the Processing which prevail over the interests and rights and freedoms of the Data Subject, or for the establishment, exercise or defense of legal rights.
Furthermore, the Data Subject has the right to object at any time to the Processing of Data carried out for prospecting purposes by the Data Controller, to the extent that the Data Subject is linked to such prospecting.
Finally, when Data are processed for scientific or historical research purposes or for statistical purposes, the Data Subject has the right to object, for reasons relating to his or her particular situation, to the processing of the Data, unless the Processing is necessary for the performance of a mission in the public interest.
7.4) Right to limitation
The Data Subject has the right to obtain from the Data Controller the limitation of Data Processing when:
- The accuracy of the Personal Data is contested by the Data Subject, for a period allowing the Data Controller to verify the accuracy of the Data;
- The processing is unlawful and the Data Subject objects to their erasure and instead demands restriction of their use;
- The Data Controller no longer needs the Data for the purposes of the Processing but they are still necessary for the Data Subject to establish, exercise or defend legal rights;
- The Data Subject has objected to the Processing in accordance with Article 9.3, pending the verification whether the legitimate grounds pursued by the Controller override those of the Data Subject.
The Data Subject who has obtained the limitation of Data Processing is informed by the Data Controller before the limitation of processing is lifted.
7.5) Right to Data portability
The Data Subject has the right to receive the Data that he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format, and has the right to transmit these data to another data controller without the Controller processing obstructs this, when:
- The Processing is based on the Consent of the Data Subject or on the performance of a contract to which the Data Subject is a party;
- The Processing is carried out using automated processes.
The Data Subject, when exercising his or her right to Data portability, has the right to obtain that the Data is transmitted directly from the Data Controller to another data controller, when technically possible.
7.6) Right to lodge a complaint with the Supervisory Authority
The Data Subject has the right to lodge a complaint with the Supervisory Authority if he or she considers that he or she is subject to illegal Data Processing by the Data Controller.
7.7) Right to define directives on the fate of the Data
The Data Subject has the right to define directives on the fate of the Data after his or her death with the Data Controller who will use all its technical means to enforce this wish.
8) Data Security
The Data Controller takes appropriate technical and organizational measures to protect the Data against destruction, loss, alteration, misuse and unauthorized access, modification or disclosure, whether these actions are voluntary or accidental. .
These technical and organizational measures aim to ensure the confidentiality, integrity, availability and resilience of the Site and the information systems where the Files are stored.
9) Modification of the Privacy Policy
The Data Controller reserves the right to occasionally modify this Privacy Policy.
In the event of a substantial modification of this Privacy Policy, the Data Subject will be informed personally of the new Privacy Policy.
The Data Subject is invited to regularly consult this Confidentiality Policy to be aware of any possible modifications to it.
The Data Subject may send questions about this Privacy Policy to the Data Controller at the following address: contact@notesdebasdepaje.com
10) Invalidity of the Confidentiality Policy
If any of the stipulations of this Confidentiality Policy proves to be void with regard to a rule of law in force or a judicial decision that has become final, it will then be deemed unwritten, without however resulting in the nullity of the entire Privacy Policy nor alter the validity of its other provisions.