Privacy policy
PRIVACY AND DATA PROTECTION POLICY
INNTO France attaches the utmost importance to protecting the privacy of individuals. It believes that a privacy policy should be simple and intelligible, meeting two precise objectives: your information and your protection.
In accordance with Regulation (EU) 2016/679 on the Protection of Personal Data [ci-après « le Règlement » ou « le RGPD »], the association INNTO France-Instituts nationaux de tourisme, owner of the INNTO France website and brand, is responsible for the processing of personal data collected on its behalf on the non-commercial website http://innto.fr [ci-après dénommé « le Site »].
In this capacity, INNTO France undertakes to comply with all the rules and obligations set out in the Regulation.
1. Key concepts
- “Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”); an “identifiable natural person” is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.
- “Processing” means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Controller” means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing operation; where the purposes and means of such processing are determined by Union law or by the law of a Member State, the controller may be designated or the specific criteria applicable to his designation may be laid down by Union law or by the law of a Member State.
- “Sub-processor”: the natural or legal person, public authority, department or other body that processes personal data on behalf of the controller.
- “Recipient”: the natural or legal person, public authority, department or other body that receives personal data, whether or not it is a third party. However, public authorities which may receive personal data in the context of a particular investigation in accordance with Union law or the law of a Member State are not considered as recipients; the processing of such data by the public authorities in question complies with the applicable data protection rules according to the purposes of the processing.
- “Third party”: a natural or legal person, a public authority, a service or a body other than the data subject, the controller, the processor and the persons who, placed under the direct authority of the controller or processor, are authorized to process personal data.
- “Consent” of the data subject: any free, specific, informed and unambiguous expression of will by which the data subject accepts, by a declaration or by a clear positive act, that personal data concerning him or her may be processed.
- “Personal Data Breach”: a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
2. Purposes and methods of data processing
The Site User [ci-après « l’Utilisateur »] is hereby informed that any information it consents to communicate is useful for its browsing as well as for accessing, using and customizing the services offered on the Site, in accordance with the Legal Notice and the Site’s General Conditions of Use (hereinafter referred to as the “Services”). The information collected on the Site is mainly intended for INNTO France’s internal teams. Service providers duly appointed by INNTO France are also authorized to intervene on the Site and its databases when such intervention is strictly necessary for the provision of the Services (see article 5 “Subcontracting and data transfers”). The User’s contact details will never be transferred to third parties, whether free of charge or in return for payment, without the User’s express prior knowledge and consent.
The data processing methods used on the Site are as follows:
– the processes and purposes are :
Purposes Categories of processing
Enable the safe and stable maintenance and operation of the
website Hosting of the website Application supervision and constant and preventive security operations
Improve the experience of using the
services Provision of a contact form contact form Integration of browsing cookies (functional/analytical)
Manage the online recruitment service
Provision of an application form Manage the quotation transmission service
Provision of a quotation request form
Communicate on services Newsletter registration form available
– The personal data processed on the Site are :
Data category Data that may be collected Mandatory data (*)
Identification data Address, last name, first name Address, last name, first name (if using a form, except Newsletter registration form)
Contact details Email address, telephone number, postal address Email address (if using a form), postal address (if using an application or quotation request form)
Professional data Company or establishment, CV Company or establishment (if using application form or request for quotation), CV (if using application form)
Connection data IP address, browsing cookies IP address, browsing cookies (only those essential for proper Site operation)
INNTO France does not anticipate any other data that may be communicated by the User as part of a form made available to him/her. Nevertheless, such data will be protected in the same way as the data requested or required. If sensitive data (such as health, political affiliation, religious beliefs, sexual orientation, etc.) is transmitted, it will be automatically deleted without being processed. Under no circumstances should the User transmit intimate and highly personal information to the Site (e.g. data on his/her state of health, data on his/her sexual orientation, etc.). This information does not concern INNTO France in any way..
– The categories of persons concerned by such processing are Users of the Site, in the broadest sense.
– The length of data retention varies according to the purposes for which it is to be used:
Data concerned Retention period Deletion method
Identification data 3 years from the last solicitation of the User Manual deletion with time-stamped indicators
Contact data
Professional data
Connection data Maximum 13 months for analytical/statistical cookies Automatic deletion
3. Rights of persons concerned
In accordance with the provisions of Chapter III “Rights of the data subject” of the RGPD, the User benefits from a right of access, rectification, limitation, deletion and opposition of information concerning him/her, which he/she may exercise in the following ways:
– By e-mail to:
mesdonnees.personnelles@innto.fr
– Via the contact form on the Site, using the “RGPD Request” item in the drop-down menu dedicated to the “Subject of the request”.
– By post to : INNTO France – 40, rue de Rennes – 49100 ANGERS INNTO France also informs the User that, if he considers that his rights have not been respected, he may at any time lodge a complaint with the Commission Nationale Informatique et Libertés (CNIL) via www.cnil.fr/fr/plaintes/ or at the following address:
3 place de Fontenoy – TSA 80715
75334 PARIS CEDEX 07
www.cnil.fr
4. Security
INNTO France undertakes to implement all organizational, technical and structural measures to ensure the physical and logical security of personal data and to maintain them until such data is deleted. INNTO France undertakes to implement all organizational, technical and structural measures to ensure the physical and logical security of personal data and to maintain them until such data is deleted. In particular, it will actively combat any alteration, destruction or unauthorized access to data.
INNTO France points out that the Internet is not an entirely secure environment and that the Site cannot guarantee the perfect security of transmissions and storage of information on this network. However, INNTO France works daily to improve its security measures. In particular, connections and flows are encrypted to ensure the security of the transit of information to the Site.
INNTO France also undertakes to comply with the rules for notifying data breaches as provided for in Articles 33 and 34 of the RGPD (Notifications to the CNIL and/or Users).
All of these rules are also applied by INNTO France’s Subcontractors. This commitment constitutes a determining and essential component of its INNTO France subcontracts.
5. Subcontracting and data transfer
INNTO France informs Users and Customers that the proper operation of the Site requires the intervention of several subcontractors (hereinafter the “Subcontractors”) in connection with the following processing operations: Processing concerned Subcontractor Rank Contact details
(and location of servers if separate addresses)
Site editing, supervision and maintenance Atelier ASAP 1 Head office:
7, Rue Max Richard, 49100 Angers, FRANCE
Website hosting and backup O2 SWITCH
1 Head office:
222-224, Boulevard Gustave Flaubert, 63000 CLERMONT-FERRAND Server location: FRANCE
INNTO France certifies that it has studied and selected the Subcontractors for their levels of personal data protection in compliance with the requirements of the Regulation. The Subcontractors have undertaken, in the same way as INNTO France, to comply with the provisions of the said Regulation and to enable INNTO France by all means to meet its legal obligations concerning in particular the rights of the data subjects mentioned above. Subcontractors have also undertaken not to subcontract personal data without the prior information and approval of INNTO France. In this case, INNTO France will be responsible for verifying the existence of a level of personal data protection equivalent to that which it applies and has applied to its Subcontractors at this subsequent subcontractor. INNTO France and its Subcontractors jointly undertake that personal data collected on the Site will always be processed and hosted within the European Union or in a country or organization with an adequate level of security according to the European Commission. In accordance with Chapter V of the RGPD, INNTO France has taken all the necessary precautions to control its data transfers outside the European Union.
6. Cookies
As mentioned above, certain information is collected by means of cookies (small text files placed on the User’s browser which store information about the User which can then be consulted by the Site).
The cookies and tracers used on the site are the following:
N° N° COMPANY NAME FUNCTION LIFETIME
1 _ga Google Web analytics and for statistical/traffic measurement purposes enabling the site owner to better understand their users’ behaviour 13 months
2 _gat Google Web analytics and for statistical/traffic measurement purposes allowing the site owner to better understand the behavior of their users 24h
3 _gid Google Web analytics and for statistical/traffic measurement purposes allowing the site owner to better understand the behavior of their users 24h
6 __utma Google This cookie is used to distinguish unique visitors to the site. It is updated for each page viewed. 13 months
7 __utmb Google This cookie is used to track the visitor’s session. The use of this cookie, coupled with the _utmc cookie, makes it possible to track visits (sessions) to a given site. 30mn
8 __utmc Google This cookie works in conjunction with the _utmb cookie to determine whether or not there is a new visit by the current visitor at the end of the session
9 __utmt Google This is a cookie used as part of the Google Analytics service 10mn
10 __utmz Google This cookie stores all information useful for identifying a traffic source. 6 months INNTO France hereby informs the User that he/she may oppose the recording of cookies by adjusting the settings of the cookie manager present on first connection to the Site and, at any time, via the settings button at the bottom of the site (see visual below). Only cookies that are mandatory for the proper functioning of the Site may not be opposed by the User. Similarly, if the User refuses so-called “functional” cookies, he acknowledges that the Site may not function correctly and that his user experience may be severely disrupted. In addition, INNTO France informs the User that if, in general, he/she wishes to oppose the collection of cookies, he/she may also do so by configuring his/her browser (see CNIL advice).
7. Updating of the Privacy and Personal Data Protection Policy
The privacy policy may be modified or amended at any time. The User is invited to consult it regularly at http://innto.fr. In the event of a major change to this policy, an e-mail will be sent to the User to inform him of the change, at least 15 days before the effective date. Last modification: version dated January 21, 2024