Prepared on 23 May 2018
Provençal Investments S.A., a limited-liability company incorporated under the laws of the Grand Duchy of Luxembourg, having its registered office at 127, rue de Mühlenbach, L-2168 Luxembourg, registered with the Luxembourg Trade and Companies Register under number B 116.230 (the “Company”, “us“, “we” or “our“), acting through its permanent establishment in France registered number 491 440 095 R.C.S. Antibes, 9 rue Saint-Barthélémy, 06160 Antibes, is committed to protecting your personal data (hereinafter “you” or “your“), and intends to process your personal data in a transparent and lawful way. Personal data is any information relating to an identified or identifiable natural person. Your name, address, phone number and email address are examples of personal data. In all circumstances the Company aims to process personal data according to the following principles:
This Privacy Notice is intended to provide you with some information regarding how your personal data will be collected, used, shared, and protected by the Company, which is described in greater detail in the sections below.
2. Who is the relevant “controller” of your personal data?
Our intention is to comply with applicable data protection laws, including the EU General Data Protection Regulation (“GDPR“) and applicable local laws. The Company is the data controller of your personal data processed by us, and can be contacted here: 9, rue Saint-Barthélémy 06160 Antibes, firstname.lastname@example.org.
3. What data is being collected or gathered?
The Company processes your personal data in order to send you our newsletter and for you to be able to receive commercial communications from the Company, Caudwell Collection and their affiliates, as described further in Section 4 below. We do not collect personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data, biometric data in order to uniquely identify a person or data concerning health or sex life and sexual orientation.
To achieve these purposes, the Company will only collect and process the following personal data:
4. How is the data being processed?
Processing of your personal data by the Company will always be based on legitimate grounds. The Company will be processing your personal data described above for the following purposes and under the following legal bases:
Your personal data will be collected and processed by the Company to manage our relationships with clients. In order to be able to send you our offers and our newsletters, we need to collect your personal data. We will not use your personal data for decisions based solely on automated processing if the decision produces legal effects concerning you or significantly affects you, unless you gave your explicit consent for this processing.
Your personal data may also be processed in connection with any legal proceedings or prospective legal proceedings, in order for the Company to establish, exercise or defend its legal rights, or in order to fulfill legal obligations, including but not limited to after a request from a competent administrative or judicial authority or in any circumstance where such processing is requested pursuant to applicable laws.
The Company will process your personal data identified above for our legitimate business interests around administering our relationships with clients and to maintain up to date our client database. The company will also process your personal data to comply with our legal obligation and, in particular, to comply with your rights as data subjects and your opt-out requests.
5. Who has access to your personal data?
The Company limits who has access to the personal data in our possession to only those who need it for a legitimate business purpose. Personal data is shared on a “need to know” basis. Only those individuals who need the data to accomplish a business objective should have access to personal data, and only for as long as they need it to accomplish the objective. Individual recipients are not authorized to share personal data with other employees or third parties unless that sharing is authorized and complies with all applicable Company policies. Specifically, we anticipate that the following categories of recipients will have access to your personal data, for the purposes listed below:
The Company may engage third party vendors to assist in processing personal data from time to time. The Company will pass on to any such vendor its obligations under the applicable data privacy law, require that the vendor secure the data, and provide additional notice as required by law. We will not sell, distribute or lease your personal data to third parties unless we have your permission or are required by law to do so.
Some of the recipients noted above might be located outside the European Economic Area (“EEA“). As described in Section 6 below, appropriate safeguards have been implemented to cover such transfers to recipients who will comply with all applicable laws and regulations.
6. Where is the data being transferred? On what legal grounds?
For EEA data subjects, your personal data may be transferred outside the EEA for the purposes listed above pursuant to EU Standard Contractual Clauses, Privacy Shield, or another legally binding and permissible arrangement. Such transfers will be compliant with all applicable laws and regulations. Relevant additional details regarding the basis for transfers of your personal data can be provided upon request by contacting us at email@example.com.
7. Data Security.
We are committed to ensuring that your personal data is secure. In order to prevent unauthorized access or disclosure, we have put in place appropriate technical and organizational measures to safeguard and secure the personal data we process. We employ a suite of various IT security tools in order to safeguard personal data, restrict access to the data, and have physical and organizational security measures in place to prevent unauthorized or unlawful access to personal data and accidental loss, destruction, or damage to personal data. The Company also maintains an inventory of personal data and evaluate the protections that we have in place for that data to ensure that our security measures are tailored to the sensitivity of the data.
In addition, as described in Section 5 above, the Company has carefully limited access to your personal data only to those individuals who need access to it in order to fulfill their assigned roles, and only to the extent that they need such access. Only those individuals who need the data to accomplish a business objective should have access to personal data, and only for as long as they need it to accomplish the objective. Employees are not authorized to share personal data with other employees or third parties unless that sharing is authorized and complies with this Policy.
If, despite all our efforts, a data breach does occur, we shall do everything in our power to limit the damage. In case of a data breach which is likely to result in a high risk, and depending on the circumstances, we will inform you about remedial actions to prevent any further damage. We always inform the relevant supervisory authority or authorities without undue delay.
8. Data Retention information.
The Company strives to only store your personal for as long as necessary for the purpose for which we have processed it, and to dispose of it securely once that purpose has been fulfilled. Your personal contact data will only be retained 3 years from the last contact with you. In certain circumstances we may have to retain your personal data for a longer period to comply with a legal obligation or with a request from a public authority. In these events, we will delete or anonymized your personal data as soon as we complied with our legal obligation of with the public authority request. The retention periods are established considering legitimate business purposes, according to the local regulations.
9. Data subject rights.
Data subject rights vary based on your local law. However, you can always ask the Company for more information about the people who will be able to see and access the data that relates to you. If you are aware of inaccurate data, it is your responsibility to request that data to be updated and corrected.
If you are located within the EEA, you may also have the right to:
The Company is committed to ensuring your data is protected from misuse. If you think your data and information have been used in violation of the laws, regulations, or the applicable data protection provisions, please alert the Company and it will assist you.
In particular, if you do not want to receive our newsletter or marketing communications from us, you can opt-out to these processing operations in contacting us at firstname.lastname@example.org
Any other requests, including those regarding the exercise of such rights, and questions can be directed to email@example.com.