Updated on 8/04/2019
Definition of Personal Data: any information relating to a natural person identified or identifiable directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or more elements specific to his physical, physiological, genetic, psychological, economic, cultural or social identity.
1 Data collected by CARTEGIE on its websites and/or processed in its capacity as processing manager
The personal information sent by CARTEGIE users via requests for information on the products or services offered by the company, by online forms or questionnaires filled in by users is necessary/mandatory for the processing of such requests for information, forms or questionnaires.
The purpose of collecting personal data on this site is to process your requests and keep you informed of our news and products.
CARTEGIE may also seek contact data from partners for canvassing purposes.
The legal basis for data processing is CARTEGIE’s legitimate interest in carrying out these processing operations within the context of its activity, said operations corresponding to the reasonable expectations of the person.
Your data is kept for the time necessary for our exchanges and communications and for the archiving essential to our activity; this period has been set at 5 years after the last contact.
However, some data may be stored for a longer period of time in accordance with certain legal regulations. In this case, the data is no longer accessible to production services.
The data is intended for CARTEGIE and its production, marketing and sales departments or subcontractors for the purpose of managing and processing user requests.
It will only be disclosed to third parties in compliance with legal and regulatory obligations.
CARTEGIE may use contact details to send users its newsletters and/or offers adapted to their needs. The user can refuse this communication simply by ticking the box provided for this purpose in the contact form or upon receipt by clicking on the unsubscribe link on each newsletter.
In accordance with current legislation and more specifically Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR”), which entered into force on 25th May 2018, the persons concerned have a right to access, modify, deletion, provide directives on their data and oppose its use on legitimate grounds.
You can exercise these rights by sending your request to our DPO by post with a copy of your ID to the following address: CARTEGIE – DPO – 3 rue Christian Franceries, Parc Chavailles 2, CS 80011, 33522 BRUGES or by email at the following address: dpo[@]cartegie.com
If, after contacting us, you consider that your data rights are not respected, you can send a complaint to the CNIL.
2 BtoC personal data processed by CARTEGIE within the context of its activity as a subcontractor
Within the context of its BtoC business, CARTEGIE undertakes to comply with the provisions of Law no. 78-17 of 6th January 1978 as amended, relating to data processing, files and freedoms, as well as Regulation 679/2016 of 27th April 2016 on the protection of personal data.
CARTEGIE undertakes to take the necessary measures to ensure the security and confidentiality of the personal data entrusted to it. CARTEGIE processes personal data only on instruction and on behalf of its partners and customers.
Origins of the data processed
CARTEGIE does not collect data from individuals. Its Partners, file owners, collect the data from individuals and then transmit their database to CARTEGIE as a subcontractor to create a marketing database.
Within the framework of its partnerships, CARTEGIE only has contracts with companies that undertake to comply with current legislation regarding the processing of personal data.
The personal data that CARTEGIE processes comes from file owners from the following fields of activity:
– Online stores
– Large retailers
– Competitions / Coregistration / Vertical websites
The use of the processed data
CARTEGIE sells data from its partners’ databases to its customers.
CARTEGIE helps its customers build and optimise their marketing, loyalty, customer relations and advertising campaigns, studies and surveys through statistical processing and analysis in order to:
– Select contacts for a marketing and/or advertising campaign
– Enable our customer to get to know their customers and therefore build loyalty.
– Enable relevant surveys and studies to be conducted.
Different channels can be used to contact people: post, telephone, email, text.
Operations allowing personalised communication can be carried out in order to contact you only within the framework of your interests.
To carry out these processing operations, CARTEGIE acts exclusively at the request of its customers and on their behalf.
CARTEGIE never comes into contact with people for its own purposes.
Once the selection operation has been carried out by CARTEGIE, the data is either processed by CARTEGIE on behalf of its customers, or transferred to service providers designated by the Customer, or transmitted to the customer.
3 BtoB personal data processed by CARTEGIE within the context of its activity as processing manager
The processing manager is: CARTEGIE 3 rue Christian Franceries, Parc Chavailles 2, CS 80011, 33522 BRUGES
Legal basis of the processing operation: the processing operation is built around one of the legal bases provided for in Article 6 of the GDPR, namely the legitimate interest of the processing manager.
The origin of the data processed:
The data processed by CARTEGIE in the context of its BtoB activity comes from the following sources:
CARTEGIE is a distributor of the INSEE database as well as the databases from open data.
CARTEGIE also has contracts with partners who make their BtoB files available for marketing purposes.
CARTEGIE collects non-confidential public data on the Internet only for professional purposes in order to enrich its existing databases.
Indeed, the legitimate interest is one criterion for legitimising the processing of personal data. Recital 47 of the GDPR states that “The legitimate interests of a processing manager, including those of a processing manager to whom personal data may be disclosed, may constitute a legal basis for the processing, unless the interests or fundamental rights and freedoms of the data subject prevail, taking into account the reasonable expectations of the data subjects based on their relationship with the processing manager. The processing of personal data for the purpose of canvassing may be considered as being carried out in response to a legitimate interest”.
Purposes of the processing operation:
Transmit information to its customers for commercial solicitation, research and customer knowledge purposes.
Develop directories of professionals and decision-makers in order to propose offers and/or products related to their function and/or activity.
Data processed: this mainly concerns
surname, first name and contact details including telephone and email address.
The Data is provided to our professional customers as part of their professional activity for their marketing and/or loyalty campaigns, market research and customer knowledge.
In relations between professionals, consent is not required in the case of commercial canvassing where such solicitations are related to the professional activity and/or function of the person solicited.
4 The exercise of rights
In accordance with current legislation and more specifically Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR”), applicable from 25th May 2018, you have the right to access, change, delete, provide directives for (portability or instructions after your death) and oppose your data for legitimate reasons.
You may withdraw your consent at any time and request the deletion of your data.
In the event of a problem, you can appeal to the competent authority:
CNIL – 3 place de Fontenoy – TSA 80715 – 75334 Paris cedex 07.
To best process your data and answer your questions, CARTEGIE has appointed a Data Protection Officer (DPO) whose contact details are given below.
You can exercise your rights by sending your request by post with a copy of your ID to the following address: CARTEGIE – DPO – 3 rue Christian Franceries, Parc Chavailles 2, CS 80011, 33522 BRUGES or by email at the following address: dpo[@]cartegie.com
Within the context of this request, CARTEGIE will delete the data in the databases processed by its teams and will systematically forward this request to the Partner who provided this data for marketing.
Your rights can also be exercised directly with the Partner who collected the personal data or with the customer who contacts the person. A response must be provided within 1 month.
In any communication to you after processing your personal data you are informed of your rights with the possibility either to unsubscribe in case of email and text, or to contact the person in charge of the campaign to oppose the use of your data.
5 Data retention period
In accordance with Article 5e of Regulation 2016/679 of 27th April 2016, personal data shall be kept in a form which permits identification only for a period which does not exceed the period necessary for the purposes for which they are collected and processed.
As such, the data is kept by CARTEGIE within the context of BtoC for the duration indicated by its Partners.
In the absence of instructions received from the latter, BtoC CARTEGIE has established strict rules for Data that respect the rights and freedoms of individuals and, consequently, any data concerning individual whose last transaction with a partner is more than 5 years ago will not be kept by CARTEGIE.
In the case of processing involving the provision to CARTEGIE of its Customers’ data, the data is destroyed according to the customer’s instructions.
6 Data protection
CARTEGIE has defined a strict security and confidentiality policy for personal data.
CARTEGIE employees with access to the data are regularly made aware of the security of personal data and, more generally, of IT security.
Thus, user authentication, clearance management and workstation security follow strict rules.
An IT charter signed by all employees covers all these points.
The protection of the information system is our priority. The data is stored in our own Data Centre in France located at CARTEGIE’s headquarters.
Our infrastructure is managed by our administrators who are in control of all security conditions, ensuring full control of the data entrusted to us. Regular maintenance operations are carried out and we have a backup system.
The physical security of the premises is ensured by a remote monitoring system and data is stored in a secure environment with restricted access.
All our data transfers are made via secure protocols such as HTTPS, SFTP or CFT. These protocols guarantee data encryption and for CFT, additional compression.
In the event of a data breach, a procedure has been put in place to notify our Partners as soon as possible and to document the elements necessary to inform the supervisory authority if required
In April 2019, Base Plus, a subsidiary of the CARTÉGIE Group, was one of the first companies to obtain the Privacy Protection – Pact label, which confirms its commitment to respecting and securing personal data. More information >