Personal Data Policy

1. PREAMBLE – ABOUT US

Our Website adress is : https://www.gourming.com.

Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of their personal data and the free movement of such data, also known as the General Data Protection Regulation (hereinafter the ‘GDPR’), establishes the legal framework applicable to the processing of personal data.

The GDPR strengthens the rights and responsibilities of data controllers, subcontractors, data subjects and data recipients. In particular, it requires data subjects to be informed of their rights in a concise, transparent, understandable and easily accessible manner.

The company SAS « DIRECTFOOD LOGISTIC » whose head office is at 52, Avenue du Canada – 35200 Rennes, registered in the RCS of Rennes under number 812 022 853 (hereinafter the ‘Company’), and publisher of the website ‘https://www.gourming.com/’, processes the personal data described in this document.

We attach great importance to your personal data, and through this document, we provide you all the useful information so you can know what we do with your personal data, and so that you are aware of the rights that you can assert at any time. For a proper understanding of this policy, it is stated that:

  •   ‘personal data’ : designates all the information that makes you directly or indirectly personally identifiable, in particular your name, first name, address, telephone number, e-mail address, bank details, username, password, cookies, IP address and other information that allows your identification and that you make available to us at any time
  • ’data controller’: natural or legal person who determines the purpose and means of processing the personal data defined in this policy. Under the latter, the data controller is the Company;
  • ’subcontractor’: natural or legal person who processes personal data on behalf of the data controller. In practice, these are service providers with whom the Company works and who have an interest in the personal data it processes;
  • ’data subjects’: refers to the people who can be identified, directly or indirectly: as regards the Site: Gourming customers and prospects.
  • ’recipients’: natural or legal persons who receive personal data. Data recipients may therefore be both internal recipients and external bodies.

2. PURPOSE

The purpose of this policy is to meet the Company’s requirement to provide information and to formalise the rights and responsibilities of the people concerned by the processing of personal data.

This policy applies only to processing for which the Company is responsible.

The processing of personal data may be managed directly by the Company or through a specifically designated subcontractor.

This policy is independent of any other document that may apply to the contractual relationship between the Company and its applicants and contacts (cookies, business or partnership contracts, etc.).

3. GENERAL PRINCIPLES AND COMMITMENT

Processing is only carried out if it relates to personal data collected by or for the services offered on the Site, or processed in connection with these services and your relationship with Gourming. We may collect your personal data when:

  • You are visiting the website
  • You send us a complaint, ask a question or any other remark.
  • You create an account on the website.
  • You communicate with us your personal data on the website or in any other way whatsoever.

Applicants and contacts will be informed of any new processing operations, or changes to or deletion of an existing processing operation.

The Company does not treat sensitive data (data which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning the sexual life or sexual orientation of a person). The Company does not make automated individual decisions.

4. PROCESSING OPERATIONS AND TYPES OF DATA COLLECTED THROUGH PROCESSING

1 ° Questions sent via the “contact” form

NON-TECHNICAL DATATECHNICAL DATA (ON THE WEBSITE)
• Identification: surname/first name
• Contacts detail : phone/ email adress
• Identification data (IP)
• Connection data (especially logs)

 2 ° Creation of a customer account

NON-TECHNICAL DATA TECHNICAL DATA (ON THE WEBSITE)
• Contacts detail : email adress / Company • Identification data (IP)
• Connection data (especially logs)

3 ° Request for quotation

NON-TECHNICAL DATA TECHNICAL DATA (ON THE WEBSITE)
• Contacts detail : email adress / Company • Identification data (IP)
• Connection data (especially logs)  

5. PURPOSES OF THE PROCESSING

The Company undertakes in particular to sign a written contract with all of its subcontractors and imposes on subcontractors the same obligations in terms of data protection. In addition, the Company reserves the right to conduct an audit of its subcontractors in order to ensure compliance with the provisions of the applicable regulations. With the exception of communication to the persons defined above, your personal data will not be the subject of communications, transfers, rentals or exchanges for the benefit of any third party.

Selon les cas, la Société traite vos données pour les finalités suivantes :

  • Depending on the situation, the Company processes your data for the following purposes:
  • managing the relationship with our customers;
  • processing quotation requests;
  • answering questions and complaints (by phone or online);
  • improving our services;
  • meeting our administrative responsibilities.

6. LEGAL BASIS

Processing operations are based on the legitimate interest with regard to the “contact” section.

7. DATA RECIPIENTS

The Company ensures that data can only be accessed by the following authorised internal or external recipients:

  • on a case-by-case basis and in accordance with the purpose of the processing: representatives and employees of the Company, entities of the Groupe Le Duff linked to Gourming’s activity.
  • if necessary, employees of technical service providers of the Company involved in the operation of the website, official pages of the Company’s social networks, and which contribute to the execution of your order, collect your payment, send you information and commercial offers. To date, these are the following companies:

– TALSION (hosting)

– Artwaï (Web development)

  • public bodies, exclusively to meet the legal obligations of the Company,
  • court officers, ministerial officers.

The Company ensures that its subcontractors comply with its obligations under applicable regulations.

The Company undertakes in particular to sign a written contract with all of its subcontractors and imposes on subcontractors the same obligations in terms of data protection. In addition, the Company reserves the right to conduct an audit of its subcontractors in order to ensure compliance with the provisions of the applicable regulations. With the exception of communication to the persons defined above, your personal data will not be the subject of communications, transfers, rentals or exchanges for the benefit of any third party.

8. TRANSFER OF PERSONAL DATA

If this is necessary for the purposes described above, your data may, for technical reasons, be transferred to a third country.

When the country concerned does not have an adequacy decision (which means its data protection level is equivalent to that in place in the European Union), the Company ensures as far as possible that the transfer is backed up by one of the following appropriate safeguard measures:

  • contractual clauses similar to those approved by the CNIL [French National Commission for Information Technology and Civil Liberties];
  • our adherence to an approved code of conduct;
  • compliance with a certification scheme certified by an approved body;
  • binding corporate rules approved by the CNIL.

You can obtain a copy of the guarantees in question by requesting it under the conditions defined below in Article 11.

9. STORAGE PERIOD

The data storage period is determined by the Company in view of its legal and contractual constraints.

TreatmentStorage Period
Contact section3 years after collection
Customer account3 years after collection

Generally, data that can be used to prove a right or an agreement must be stored as a legal requirement, for the period prescribed by the law in force. At the end of the period defined for each category of personal data processed, and subject to provisions permitting storage that is strictly necessary for the exercise of a right and proof of this right for the prescribed period applicable or pursuant to the legal requirements to which the Company is subject, the Company:

  • destroys personal data, or
  • stores this data in an irreversibly anonymised form, so that it no longer constitutes personal data within the meaning of the applicable regulations.

Applicants and contacts are reminded that the deletion or anonymisation of data is irreversible and that the Company is not able subsequently to restore it.

10. YOUR RIGHTS

1° RIGHT OF ACCESS

Applicants and contacts usually have the right to ask the Company to confirm whether or not their personal data has been processed. Applicants and contacts also have the right of access.

Applicants and contacts have the right to request a copy of their personal data that has been processed by the Company. However, if an extra copy is requested, applicants and contacts may be required to reimburse the Company for this cost.

If applicants and contacts submit their request for a copy of their data electronically, the information requested will be provided to them in a commonly used electronic format, unless requested otherwise.

Applicants and contacts are informed that this right of access does not apply to information or data that is confidential or for which the law does not authorise disclosure.

2° YOUR RIGHTS

You can ask the Company to update your data or do it yourself in your customer area. However, the Company may not be blamed for a lack of updates if the applicant or contact does not update their data.

3° OTHER RIGHTS

Under the conditions defined by the texts, you also have applicable, in certain cases, a right to erasure (article 17 of the RGPD), a right of opposition (article 21 of the RGPD), right to limitation (article 18 of the RGPD), a right to portability (article 20 of the RGPD), the right to define directives relating to the fate of personal data after death (article 32 of the law of January 6, 1978 amended).

4° RIGHT TO LODGE A COMPLAINT WITH THE CNIL

Applicants and contacts affected by the processing of their personal data are informed of their right to lodge a complaint with the supervisory authority, namely the CNIL in France, if they believe the processing of their personal data does not comply with European data protection regulations. Complaints should be sent to the following address:

CNIL – Complaints department: 3, place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07
Tel: +33(0)1 53 73 22 22

11. HOW TO APPLY YOUR RIGHTS

The request must be sent by mail to the address: vosdonneespersonnelles@groupeleduff.com or by post to the address : DPO GROUPE LE DUFF, 52 AVENUE DU CANADA, 35200 RENNES.

Data subjects are informed that these are rights which can only be exercised by them. To meet this obligation, the Company will verify their identity. If a request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Company may: demand the payment of a reasonable fee which takes into account the administrative costs incurred in providing the information, carrying out communications or taking the action requested; or refuse to act on these requests.

12. OPTIONAL OR MANDATORY NATURE OF RESPONSES

Applicants and contacts are informed on every personal data collection form whether a response is mandatory or optional through the use of an asterisk.

If responses are mandatory and you do not provide them, you will not be able to access the services offered on the Gourming customer area.

13. LINKS TO THIRD PARTY SITE

The Company may present links to other websites. However, the Company is not responsible for the content or the information collection policies on these websites. If you visit third party websites, we recommend that you check their information collection and privacy policies. The Company accepts no responsibility to this regard. Please check these policies before submitting your personal data on these websites.

14. RIGHT OF USE

The Company is given the right by applicants and contacts to use and process their personal data for the purposes defined above.

15. SECURITY

It is the Company’s responsibility to define and implement the technical security measures, whether physical or logical, it deems appropriate to prevent the destruction, loss, alteration or unauthorised disclosure of data, whether accidentally or unlawfully.

These measures notably include:

  • the use of security measures for accessing the premises (closing offices, badges, etc.);
  • secure access to our computers and smartphones (access code changed regularly);
  • login and password for all our business applications;
  • management of authorisations for access to data (special features for our financial, accounts and communications departments);
  • VPN for remote connections;
  • complex and regularly changed passwords for our Wi-Fi network;

To achieve this, the Company may be assisted by any third party of its choice, as often as it deems necessary, to carry out vulnerability audits or intrusion tests.

In any case, in the event of changes to the means of ensuring the security and confidentiality of personal data, the Company commits to replacing them with higher-performing measures. No changes may lead to a lower level of security.

16. DATA BREACHES

In the case of a personal data breach, and unless the violation in question is not likely to pose a risk to your rights and freedoms, the Company commits to informing the CNIL under the conditions prescribed by applicable regulations.

If this breach poses a high risk to applicants and contacts and data has not been protected, the Company:

  • will inform the applicants and contacts affected;
  • will provide the applicants and contacts affected with the necessary information and recommendations.

17. REGISTER OF PROCESSING OPERATIONS

The Company has a register of processing operations.

18. CHANGES

This policy may be changed or adjusted at any time in the event of changes to legislation, case law, CNIL decisions and recommendations or usage.

Any new versions of this policy will be brought online on the website.

See my quote