Personal data protection policy

This personal data protection policy (the ‘Policy’) describes the methods used by OB Holding on its own behalf and on behalf of its affiliates (the ‘Affiliates’), i.e. its subsidiaries and the subsidiaries of its parent company, Bertrand Hospitality (‘OB Holding’ or ‘we’), employs in the collection, usage, protection and sharing of the personal data of persons who visit our website: https://www.bertrand-hospitality.com.

OB Holding is committed to the protection of personal data in order to encourage innovation while building a relationship of lasting trust based on shared responsible social values and respect for the rights and freedoms of individuals.

This Policy applies to France. Its main objective is to describe the way in which OB Holding, in its role as data controller, collects, uses, protects and shares the personal data of its contacts. It brings together, in a concise, transparent, comprehensible and easily accessible format, information concerning the data processing implemented to enable contacts to understand under what conditions their data is processed, what their rights are in this respect and to present OB Holding's commitments in its capacity as data controller.

This Policy is independent of any other document that may apply within the contractual relationship that we may have with our contacts (cookies, commercial or partnership contracts, etc.).

For a proper understanding of this Policy, it is specified that :

- “customer(s)”, “contact(s)” or “candidate(s)” refers to any natural or legal person in a relationship with OB Holding or its subsidiaries or affiliates (customers, candidates, prospects, relations, partners, etc.);

- “data controller” means any natural or legal person who determines the purposes and means of the processing of personal data as defined in this Policy;

- “processor” refers to any natural or legal person who processes personal data on behalf of the controller (in practice, this refers to the service providers with whom we work and who handle the personal data processed by the controller);

- “recipients” refers to the natural or legal persons who receive personal data, and may therefore be both internal recipients and external bodies.

OB Holding, the data controller, is a simplified joint stock company under French law with a share capital of 412,744 euros, having its registered office at 55, rue Deguingand - 92300 Levallois-Perret, France. It is registered in the Nanterre Trade and Companies Registry under number 388 300 444.

If you have any questions about this Policy and the protection of personal data at OB Holding, you can contact us :

By email:

dpo-mutualise@groupe-bertrand.com

By post:

OB Holding

Legal Department – personal data

55, Rue Deguingand

92300 – Levallois-Perret

The information communicated by the user when using the Website, as well as the technical information collected by the host, may constitute personal data. The collection and processing of such personal data is governed by our personal data protection policy, available HERE, which forms an integral part of these Terms of Use.

By using the Website, users agree that we may collect personal data about them, in particular in order to provide them with access to the Website, improve and optimise its quality, send them information about our services and news, and carry out statistical studies and analyses.

The user is invited to consult our personal data protection policy, available HERE, which describes the way in which OB Holding, in its capacity as data controller, collects, uses, protects and shares the personal data of its contacts, as well as the rights that users have in relation to their personal data.

The user is informed and expressly acknowledges that there are risks of security, confidentiality and privacy inherent in the use of the Website. The user assumes full responsibility in this respect and accepts that we give no assurance or guarantee in relation to such risks.

In the interests of transparency, we take particular care to inform our contacts about the processing that concerns them. To this end, OB Holding (on its own behalf and on behalf of its Affiliates) has defined this Policy, which is also reproduced according to the data collection media used.

When we process data, we do so for specific purposes. Each data processing operation pursues a legitimate, specific and explicit purpose.

We undertake to collect and use only data that is adequate, relevant and limited to what is necessary for the purposes for which it is processed.

We ensure that data is kept up to date where necessary, and implement procedures to enable the deletion or rectification of inaccurate data.

As part of the processing of personal data, the purposes of which will be presented to you below in paragraph 10, "The Legal Basis and Purposes of Our Data Processing," we may collect and process the following categories of data:

- your IP address;

- all your connection data linked to your IP address (e.g., geolocation, session duration, pages viewed, type of browser and hardware used, etc.);

- any other personal data that you provide to us.

We do not process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, nor do we process genetic data or biometric data for the purpose of uniquely identifying a natural person, or data concerning a natural person's health, sex life, or sexual orientation. If you provide us with the personal data of a third party, you must first inform them of your action and ensure that you have the necessary authorizations and their agreement to do so.

We may collect personal data directly from our contacts, in particular when :

-          you log on to our Website;

-          you interact with us in any other way, including via our customer service department and/or on social networks;

-          you write a review or comment on our social networks or on third-party social networks.

We undertake to collect only the minimum amount of personal information necessary for the purposes covered by this Policy.

Should we need to use your personal data for purposes not covered by this Policy, you will be asked for additional consent.

Please note, however, that your consent will not be required if the original processing was based on legitimate interest or the performance of a contract, and our further processing of your personal data is compatible with the original purposes pursued at the time of collection of the data concerned.

The operations carried out when we provide you with services generate and produce data about you. This is the case when you use our Website. This data from the operation of our Website is processed.

We may collect data about you from other companies and entities, including our Affiliates and branches, public databases, social networks or third-party partners such as analysis or marketing service providers with whom you have been in contact and whom you have authorised to share personal data about you with us for the purposes of commercial prospecting or advertising targeting. Where applicable, these communications are governed by the personal data protection policies of these social networks or third-party partners, to which we refer you.

We may also collect public information, accessible to everyone, for example on your profile, when you interact with us on social networks. Social networks also allow us to collect communications addressed to us or concerning us.

In some cases, we may also collect information that you provide about other people. We use this information only to respond to your requests and will not send marketing communications to your contacts unless they opt-in to receive communications from us.

We may associate and combine the data you communicate to us online and offline with your account data when you have an account or are registered for our relationship or loyalty programmes, or when you use one of our services, and/or data collected by automated means and from other sources.

We may use automated technologies to collect data from your computer or mobile device (phone or tablet) when you use our online services.

These automated technologies include cookies, local shared objects and web beacons.

Further information is available in our cookie notice available HERE.

We are therefore likely to collect the following data

-          your IP (Internet Protocol) address;

-          the dates and times when you access our services online or on site;

-          the names and URLs of files consulted using our online services;

-          the type of operating system and browser of the computer or mobile phone used;

-          the type of mobile device used and its settings;

-          the Unique Device Identifier (UDID) or Mobile Equipment Identifier (MEID) associated with your mobile phone.

The personal data we collect, as well as those collected subsequently, are intended for us in our capacity as data controller, except when we act as an intermediary to offer you products or services ancillary to our offers. In this case, the data controllers are designated in the relevant information notices.

We do not sell any of your personal data and share it only in accordance with the terms stipulated in this Policy or if we are required to do so by law. We will not rent, distribute or sell your personal information to third parties unless you have given us prior permission to do so.

We ensure that your data is only accessible to the authorised internal or external recipients referred to below.

Your data may be communicated to the directors, employees and officers of OB Holding and its Affiliates.

We may also share your data with service providers who provide us with services such as data processing services and other services related to information technology, studies and analyses.

A list of our subsidiaries and service providers who may have access to your data can be sent on request to the address given above in the How to contact us section?

In addition, we may share information that does not directly identify you, such as anonymous aggregated statistics about your use of our services. We may also combine information about you with information about other contacts and share it in a way that makes it impossible to associate it with a specific contact.

Finally, we may use or share personal data as necessary to comply with any law, regulation or legal requirement, to protect our online and on-site services, to initiate or defend legal proceedings, to protect the rights, interests and safety of our organisation, employees, franchisees or the general public, or in connection with the investigation of fraud or any other breach or violation of our policies.

For strategic or other business reasons, we may decide to sell or transfer some or all of our business. In the event of such a sale or transfer, we may transfer the information we have collected and retained (including personal data) to any person or entity involved in the transaction. In the event of a merger, acquisition, assignment or transfer of all or part of our business, your data may be communicated to the persons or entities concerned.

We do not transfer your data outside the European Union, except in situations where this is necessary to respond to your request or provide you with the requested services. In this context only, your personal data may be transferred outside the European Union, to countries whose applicable legislation on the protection of personal data differs from that applicable within the European Union or to your country of residence.

If we need to transfer data outside the European Union in cases other than those necessary for the provision of our services, we will only do so after taking the necessary and appropriate measures to ensure a level of protection and security of personal data equivalent to that offered in Europe.

Where the recipient is located in a country whose legislation has not been declared adequate by the European Commission, we ensure that the transfer is governed by the European Commission's standard contractual clauses, which make it possible to guarantee a sufficient level of protection of the privacy and fundamental rights of individuals or equivalent guarantees, by request to dpo-mutualise@groupe-bertrand.com.

We can provide you with a list of the countries in which we store and process your data and those in which it is occasionally transferred on request to the address given above in the How to contact us section.

We ensure that your personal data is only kept in a form that allows identification of the data subjects for as long as is necessary for the purposes for which it is processed. The retention periods we apply to your personal data are proportionate to the purposes for which they were collected.

As a general rule, your personal data is kept for the duration of your relationship with us, plus three (3) years from the last time you contact us or after the end of our relationship. It is then archived in order to meet our legal obligations or for evidential purposes, or is anonymised for research and statistical purposes. We do, however, retain certain data after your account has been deleted where such retention is required by law, or where such retention is necessary to enable us to manage disputes and claims.

In some cases, we may retain certain personal data about you even if you delete your account, for legal reasons, or if there is still a problem with your account, for example, an unresolved complaint or dispute. In this case, the data necessary for the resolution of the problem, claim or dispute will be retained for as long as it is outstanding, subject to the applicable statute of limitations.

Other data may be kept after having been processed to prevent them being attributed to an identified person for research and statistical purposes.

We attach particular importance to the security of personal data.

Appropriate technical and organisational measures are implemented to ensure that data is processed in such a way as to guarantee its protection against accidental loss, destruction or damage that could undermine its confidentiality or integrity.

When developing and designing, or selecting and using, the various tools that enable personal data to be processed, we ensure that they provide an optimum level of protection for the data processed.

We therefore implement measures that respect the principles of protection by design and protection by default of the data processed. To this end, we are able to use pseudonymisation or data encryption techniques whenever possible and/or necessary.

When we use a service provider, we only communicate personal data to them after having obtained a commitment and guarantees from them regarding their ability to meet these security and confidentiality requirements. In compliance with our legal and regulatory obligations, we conclude contracts with our subcontractors that precisely define the terms and conditions under which they process personal data.

We also carry out audits of our own services and those of our service providers, in order to verify the application of data security rules.

In the event of a personal data breach, we undertake to notify the Commission Nationale de l'Informatique et des Libertés (CNIL) under the conditions prescribed by the Regulation. If the said breach poses a high risk to our contacts and the data has not been protected, we will notify the contacts concerned and provide them with the necessary information and recommendations.

We are particularly concerned to respect your rights in relation to the data processing we carry out, to ensure that it is processed fairly and transparently, taking into account the specific circumstances and context in which your personal data is processed.

As such, you have the following rights in relation to your personal data:

You have the right to request a copy of your data in a clear and comprehensible format.

You may ask us to rectify or complete your personal data if it is inaccurate, incomplete, ambiguous or out of date.

You may ask us to delete your personal data if one of the following reasons applies:

-          the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;

-          you withdraw the consent previously given;

-          you object to the processing of your personal data where there are no compelling legitimate grounds for the processing;

-          the processing of personal data does not comply with applicable laws and regulations.

Your attention is drawn to the fact that the right to erasure of data is not a general right and can only be exercised if one of the grounds provided for in the applicable regulations is present.

Thus, if none of these grounds is present, we will not be able to respond favourably to your request. This will be the case if we are obliged to retain the data by reason of a legal or regulatory obligation or for the establishment, exercise or defence of legal claims.

You may request the restriction of the processing of your personal data in the cases provided for by legislation and regulations.

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data for which the legal basis is the legitimate interest pursued by the controller (see paragraph above Legal basis and purposes of our data processing).

If you exercise such a right to object, we will ensure that we no longer process your personal data in connection with the processing concerned unless we can demonstrate compelling legitimate grounds for the processing which override your interests and rights and freedoms, or for the establishment, exercise or defence of legal claims.

You have the right to object to commercial canvassing as well as to profiling insofar as it is linked to such canvassing.

In particular, with regard to commercial canvassing, you are reminded that you may object to receiving canvassing by post, by electronic means or by telephone.

In the case of canvassing by electronic mail (e-mail, SMS, MMS), we may use this method if you have given your consent at the time of collection. You may then object at any time by clicking on the link in the message sent to you or by contacting us using the contact details given above in the paragraph How to contact us?

If you have accepted commercial canvassing from one of our partners, and you wish to object, you must send your request directly to the partner concerned.

Finally, if you have accepted commercial telemarketing, by ticking a box in the documentation provided as part of your use of our services, you can request, free of charge, that your telephone number be added to the OPPOSETEL telephone canvassing opposition list via the following link: www.bloctel.gouv.fr.

However, it should be noted that this step will not interrupt the receipt of commercial proposals by electronic means, if this method of telemarketing has been expressly consented to and if consent has not been withdrawn from the data controller in accordance with the aforementioned procedures.

You have the right to the portability of your personal data. Please note that this is not a general right. Not all data from all processing operations is portable, and this right only applies to automated processing operations, to the exclusion of manual or paper processing.

This right is limited to processing for which the legal basis is your consent or the performance of pre-contractual measures or a contract.

This right does not include derived or inferred data, which are personal data created by OB Holding or its Affiliates.

The data on which this right may be exercised are :

-          your personal data, which excludes anonymised personal data or data that does not concern you; and

-          declarative personal data and the personal operating data referred to above.

The right to portability may not affect the rights and freedoms of third parties, such as those protected by business secrecy.

You may request data portability in accordance with the procedure set out below, specifying whether you wish to receive the data yourself or, if it is technically possible for us to do so, for us to transfer it directly to another data controller.

In the latter case, you must indicate the exact name of the data controller, its contact details and the department where the data will be processed.

When the data processing that we implement is based on your consent, you can withdraw it at any time at dpo-mutualise@groupe-bertrand.com. We then stop processing your personal data without calling into question the previous operations for which you had consented.

If after requesting our DPO (dpo-mutualise@groupe-bertrand.com) and/or our services, the response provided does not seem to comply with the law, you can lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL) on French territory, without prejudice to any other administrative or legal recourse.

By post: CNIL – Complaints department: 3, place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07

You have the possibility to define specific instructions relating to the conservation, erasure and communication of your personal data after your death to our services according to the terms defined below. These specific instructions will only concern the treatments implemented by us and will be limited to this area only.

You will also have, when this person has been designated by the executive power, the right to define general directives for the same purposes.

All the rights listed above can be exercised by contacting us using the contact details provided in the How to contact us paragraph? above, attaching to your request a copy of proof of identity including your signature.

By email:

dpo-mutualise@groupe-bertrand.com

By post:

OB Holding

Legal Department – ​​Personal data

55, rue Deguingand

92300 Levallois-Perret

For all of the mentioned rights from which you benefit and in accordance with the legislation on the protection of personal data, you are informed that these are rights of an individual nature which can only be exercised by the person concerned in relation to its own information. To fulfill this obligation, we will verify the identity of the person concerned.

Please note that if the requests from a data subject are manifestly unfounded or excessive, in particular due to their repetitive nature, we may either require payment of reasonable fees which take into account the administrative costs incurred to provide the information, carry out the communications or take the requested measures, or refuse to comply with these requests.

We may, at our sole discretion, modify this Policy. The modifications are applicable and effective from their date of publication. By continuing to use our Services after changes are posted, you agree to comply with them. We invite you to consult the Policy regularly to be informed of any possible modifications. The most recent version of our Policy remains permanently available on the Website.