The purpose of this data use policy is to set in a clear and transparent manner the way in which LORIGE (*), as data representative, collects, records, stores and communicates the personal data of individuals with whom it interacts with in the course of its business, and in particular leads, customers, clients and partners (hereinafter referred to as the “Data Subjects” or the “Person concerned”).

LORIGE undertakes to ensure that this policy, as well as its application in practice, complies with the personal data protection system regulation (hereinafter referred to as the “Current regulations “), in particular

– The General Data Protection Regulation n°2016/679 of the Parliament and the Council of the 27th of April 2016 (hereinafter the “GDPR”);

– The French Data Protection Act n°78-17 of the 6th of January 1978 as amended by Act n°2018-493 of the 20th of June 2018;

– The French decree n°2019-536 of the 29th of May 2019 taken for the application of the law n° 78-17 of 6 January 1978 referred to as the “Law on Information Technology and Civil Liberties”, that pertain to information technology, databases and civil liberties.

This policy is subject to change according to the legal and regulatory context, and in light of the doctrine of the French National Commission for Information Technology and Civil Liberties (hereinafter the “CNIL”).

In order to ensure that its practices comply with current regulations, LORIGE has appointed a personal data protection representative (hereinafter the “Representative”).

The Representative (Data Protection Officer) is the Data Subject’s main contact with LORIGE regarding the protection of personal data.

The Data Subject may contact the Data Protection Officer for any questions relating to the processing of his or her personal data and the exercise of his or her rights in relation thereto (see article 8) by contacting the Officer at the following address: contact@lorige.com

The term “personal data” (hereinafter the “data”) refers to any information relating to an individual and enabling that person to be identified, either directly or indirectly.

In exact terms, it relates to the following data:

  • Identity: title, surname, first name, address, delivery address, telephone number, e-mail address, date of birth, internal processing code enabling the customer to be identified, data relating to registration on opposition lists.
  • Order data: transaction number, purchase details, purchase amounts, invoice payment data (payments, outstanding payments, discounts), product returns.
  • Data relating to means of payment: bank card number, expiry date of the bank card, visual cryptogram (which is immediately deleted).
  • Data required for loyalty and prospecting actions: purchase history.

 

LORIGE collects and processes personal data to fulfil a specific, explicit and legitimate objective.

However, LORIGE takes care to limit the collection of this data to what is strictly necessary for the purpose in question.

Nevertheless if LORIGE requests the Data Subjects to communicate only the personal data that is strictly necessary to process their request, they remain free to communicate the personal data of their choice.

Therefore, LORIGE may not be reproached for collecting data that it had not requested to be disclosed.

Personal data may be collected by LORIGE, depending on the case:

  • Directly from the Persons concerned, whether during professional meetings (trade fairs, conferences, events), during physical or telephone meetings, or via e-mail exchanges;
  • Via collection forms filled in by the Person concerned, in particular the “REGISTER FOR THE NEWSLETTER” form on the LORIGE.com website;
  • Through its customers and partners.

It is specified that certain data must be communicated, without which LORIGE will not be able to process the request of the Person concerned.

Failure to reply to information not marked with an asterisk shall not prevent LORIGE from processing the Data Subject’s request.

Finally, in any event and in accordance with the Regulations in force, each data processing operation carried out by LORIGE has one or more of the following legal bases (see article 6):

  • The consent of the Person concerned;
  • The execution of an agreement or pre-contractual measures taken at the request of the Data Subject (for example, a quotation or the study of the file of a candidate for a position at LORIGE);
  • Compliance with a legal obligation requiring the processing of data;
  • LORIGE’s legitimate interest, in particular with regard to improving its services.

 

The data collected by LORIGE is processed:

  • Internally by LORIGE, by LORIGE’s customer and billing departments;
  • By trusted service providers, chosen by LORIGE, and who process the said data specifically in the name and on behalf of the latter. LORIGE ensures that all the service providers it uses offer sufficient guarantees in terms of data protection, in particular with regard to confidentiality and security.

By way of example, LORIGE may use the following service providers:

  • Subcontractors, responsible for the delivery of orders;
  •  IT service providers (mailbox, business software, audience analysis solutions, hosting, maintenance of IT tools);
  • Marketing service providers (provider of a platform for electronic communications);
  • Other service providers (translation agencies etc.).
  • By LORIGE’s commercial partners in the event that customers have agreed that their e-mail addresses may be made available to them. The list of commercial partners, which is regularly updated, can be communicated on written request to the Referent at the following e-mail address contact@lorige.com

 

LORIGE may also be required to communicate the data of the Persons concerned to professional institutions such as for example,

  • Courts ;
  • Legal auxiliaries (bailiffs, solicitors, and lawyers);
  • The CNIL;
  • Mediation centres.

The Data Subject’s personal data may be transferred outside the European Union, to third countries for which the European Commission has not adopted an adequacy decision, even in the absence of appropriate safeguards within the meaning of Article 46 of the GDPR.

Such transfers are however justified, depending on the case, by :

  • the explicit consent of the Data Subject who has been informed of the risks to his or her data in the absence of an adequacy decision and appropriate safeguards;
  • The implementation of a contract between the Data Subject and LORIGE;
  • The establishment, exercise or defence of legal claims.

 

LORIGE shall keep the data of the Persons concerned only for as long as is necessary to achieve the objective pursued at the time of collection and in compliance with the Regulations in force.
LORIGE keeps the data of the Persons concerned only for the time necessary to achieve the objective pursued at the time of collection and in compliance with the Regulations in force.

Data processing details

LORIGE implements organisational and technical measures to ensure the security of the data of the Persons concerned, protecting them in particular against any loss, alteration, disclosure and against any unauthorised access.

In particular, each LORIGE employee is subject to the obligation of confidentiality and is made aware of the protection of personal data, notably through training.

In compliance with the Regulations in force, the Data Subject has the following rights with regard to his/her data:

  • The right to know whether personal data concerning him/her is processed by LORIGE and if so, the right to access this data, as well as any information relating thereto;
  • The right to request the rectification of any personal data that may be inaccurate;
  • Where the processing is based on his/her consent, the right to withdraw it at any time; otherwise, the right to object under the conditions of Article 21 of the GDPR to the processing that he/she has not authorised;
  • The right to request the erasure of processed data under the conditions set out in Article 17 of the RGPD (in particular in the event of opposition to the processing of data);
  • The right to the limitation of processing under the conditions of Article 18 of the GDPR;
  • The right to set out instructions on how they wish their rights to their personal data to be exercised after their death;
  • Where the processing is based on a contract or on his/her consent, the right to receive the personal data he/she has provided to LORIGE, in a structured, commonly used and machine-readable format, in particular so that he/she can pass them on to another controller, or even the right for LORIGE to communicate his/her data directly to the new controller;
  • The right to lodge a complaint with the CNIL (cnil.fr/en/complaints), as well as a legal appeal.

In the event of a request relating to the exercise of his/her rights, the Person concerned must necessarily prove his/her identity to LORIGE.

Thus, in the event of reasonable doubt as to the identity of the Data Subject and insofar as this cannot be verified otherwise, LORIGE may require the Data Subject to present a copy of his/her identity document.

For more information on his or her rights, the Person concerned may consult the CNIL website:

https://www.cnil.fr/en/home