1.01- What is the General Data Protection Regulation (GDPR)?
European regulation 2016/679 of 27 April 2016 brought into force on 25 May 2018. The new law previously regulated by the French Data Protection Act of 6 January 1978 and EC Directive 95/46 CE adopted in 1995 and transposed into French law by the Law 2004-801 of 6 August 2004.
1.02. What is the purpose of this law?
The GDPR introduces principles on how to collect and process personal data of natural persons with consent and a prior purpose of data gathering and securing.
1.03. What is data processing?
This action is defined as an operation or a set of operations carried out or not by automated means and applied to personal data or a set of personal data.
1.04. What is personal data?
Personal data is information related to a natural person and allowing a direct or indirect identification. Such as; surname, first name, e-mail address…
2. Implementation and obligations to the data controller
2.01. Data processing
According to Article 5 of the GDPR, here are the principles on personal data processing.
The data shall be lawfully processed: The individual owning the data must have consented to the personal data processing as part of the activites on the website of Palais du Rosaire.
The data shall be collected for a specific, explicit and legitimate purpose and shall not be used later for any purpose incompatible with that originally foreseen.
The collected data shall be appropriate, relevant and limited: The data shall be collected in a manner necessary to the purpose of the processing.
Accurate and up-to-date
The data shall be kept in a form allowing to identify the persons concerned and for the required period in relation to the purpose for which they are processed. These data are archives which are termed common and once they are no longer of interest are promptly deleted.
Palais du Rosaire recognizes that it will collect and process personal data only and exclusively after the consent of the users. These data shall only be used in the context of online sales of religious items by Palais du Rosaire (product information, pending orders, new items, exclusive items…).
Palais du Rosaire recognizes that it will collect personal data useful and necessary for the fulfilment of its online business and shall be retained as long as necessary to enable identification and recognition of the user. They shall be deleted once they are no longer of interest or upon the customer’s request.
3. Obligations related to the rights of persons concerned by personal data processing
The application of the GDPR provided rights for persons concerned, notably the right to withdraw consent, rights of access and rectification, to delete, to limit, to object and of portability.
In the course of its business, Palais du Rosaire shall not perform any personal data transfer outside the European Union.
Personal data shall be kept for a needed and reasonable period of time to allow identification and recognition of the user.
At any moment, the user may lodge a complaint to the CNIL (control authority)
People concerned by personal data management have the right to request:
To access their personal data: When requesting, the data controller of Palais du Rosaire will indicate whether their data are subject to processing, provide a copy of the data kept and the information on the processing characteristics.
Rectification of their data
Deletion of their data
The right of portability on their data
The right to object: Users can urge Palais du Rosaire not to use their data for marketing purposes or under certain conditions or even to urge the data collecter to stop processing their data
That their data are not subject to a decision based solely on an automated processing
For any request regarding such rights by the person concerned, Palais du Rosaire is committed to provide an answer as soon as possible or in any case within no more than 1 month after receipt of the request. Finally, in the event of a refusal of the request, Palais du Rosaire undertakes to give the reasons for this refusal within 1 month as well as the possibility for the person concerned to lodge a complaint to the CNIL.
4. Implementation of the appropriate technical and organisational measures to fulfil the objective of compliance with the provisions of the GDPR
In accordance with Article 32 of the GDPR, the data controller takes all necessary and appropriate measures to ensure a suitable safety level.
4.01. What specific measures are taken by Palais du Rosaire?
Palais du Rosaire implemented a module called “Official GDPR compliance” giving users:
- The right to access their personal data and right of portability
- The right of correction and/or deletion of their personal data
- The right to withdraw consent when consent has been requested
This module generates and stores a logbook of all the operations of the personal data collected and processed by Palais du Rosaire (access, consent, deletion of data).
To make any request about personal data, go to our contact form www.palaisdurosaire.com/nous-contactez, select the object “personal data” and send us your request that shall be processed as soon as possible or in any case within no more than 1 month after receipt of the request.
In accordance with Article 33 of GDPR, the data collecter must, in the event of security breaches, notify the CNIL within a maximum of 72 hours.
4.02. Measures implemented to ensure maximum security of personal data:
Restrict and control physical and digital access to personal data
Perform regular back-ups on different and secure media
Install firewalls and anti-viruses
Establish a security breaches management procedure: identification, correction, collection, technical and legal evidence, complaint, insurance claim, notification to the CNIL, public communication regarding the breach
Prepare standard templates for notification to the CNIL
1. What is a cookie?
Term covering all the tracers deposited and/or read for instance when visiting a website. The use of browing cookies requires prior authorization by the user, but some cookies do not need consent.
2. Cookies exempt from consent
Cookies required for the supply specifically requested by the user.
- Shopping cart
- Sessions IDs
- Session cookies created by a media player
- Cookies load balancing
- Cookies google analytics
- Customization cookies
3. Cookies requesting prior consent
- Cookies relating to advertising campaigns
- Social media cookies generated by share buttons
From acceptance of cookie consent, this consent remains valid for no more than 13 months.