Privacy Policy

PRIVACY POLICY

 

1 Introduction

This Privacy Policy is intended to inform users (hereinafter referred to as "you") of this Site and the Services provided by Compagnie des Transports du Boulonnais (hereinafter referred to as "the COMPANY") of the methods of collection and processing of personal data by the COMPANY.

 

It also aims to inform users of their rights as well as the exercise of these rights in accordance with the national regulations in force and Regulation 2016/679 of 27 April 2016 on the protection of personal data.

 

The data controller is Compagnie des Transports du Boulonnais, a simplified joint-stock company (company with a sole shareholder) with a capital of €440,000, whose registered office is located at 19 rue René Cassin - Résurgat 3 - 62230 OUTREAU, registered with the Boulogne-sur-Mer Trade and Companies Register under number 539 007 666

 

The COMPANY has appointed Mr. Eric Barbry as its Data Protection Officer (DPO), who can be contacted at the following email address: dpo-ctb@ratpdev.com or by post at the following address: 40 rue de Courcelles, 75008 PARIS.

The persons concerned by this privacy policy

The COMPANY operates a transport network and offers rail and road services. This Privacy Policy applies to you when you subscribe to services offered by the COMPANY.

 

I. The type of data collected

The data collected by the COMPANY in the context of the services it offers are as follows: identification data (surname and first name, date and place of birth, nationality); contact data (postal address and email address, telephone number); geolocation data and browsing data (searches, number of visits, date of the last visit, etc.).

 

II. The purposes

The COMPANY processes your data in the context of the performance of the services we offer you, legitimate interests necessary for the proper functioning of the services as well as under legal obligations.

 

This primarily consists of the management of subscriptions to email alerts, the management of customer relations, the performance of satisfaction surveys, the performance of the proposed service and the sending of information on the the modification or evolution of our services. The COMPANY also processes certain data for statistical and archival purposes.

 

Where applicable, personal data is processed in particular in order to manage your user account, to send newsletters or to send traffic information in real time to your terminal.

 

III. Retention period

The period for which the COMPANY keeps your personal data includes the period of the contractual relationship as well as the legal limitation periods.

 

It is specified that ticketing data is kept for a maximum of 48 hours.

 

 

IV. Recipients of personal data

a. The COMPANY

The COMPANY collects the data necessary for the proper functioning of its services. Any employee of the COMPANY authorised to have access to the data signs a confidentiality agreement.

 

b. Subcontractors

The COMPANY may use subcontractors to perform its services. Subcontractors carry out data processing solely for the performance of the services offered by the COMPANY.

 

The COMPANY contractually requires its subcontractors to comply with security and confidentiality obligations and to implement appropriate technical and organisational measures so that the processing carried out complies with all applicable regulations and guarantees the protection of your rights.

 

c. The competent authorities

The COMPANY may be required to transmit the personal data collected to the competent authorities, such as the public authorities, the French Data Protection Authority ("CNIL") or the General Directorate for Competition Policy, Consumer Affairs and Fraud Control ("DGCCRF").

 

V. Users' rights over personal data

a. Right of access

You have the right to access your personal data. You have the right to obtain confirmation as to whether or not your data is being processed. If you exercise this right, the COMPANY will provide you with a copy of the characteristics of the processing carried out on your data (the purposes of the processing, the categories of data concerned, etc.).

This information will be provided to you either electronically or on paper. You may obtain a copy of your personal data subject to respect for the rights of others.

 

b. Right of rectification

If you find that your data is incorrect or incomplete, you have the right to request that this information be corrected or completed.

 

c. Right to restrict processing

You have the right to obtain the restriction of the processing of your data, in particular if you dispute the accuracy of the data, if the processing is unlawful and you wish to obtain the restriction and not the deletion of your data, or if the data controller no longer needs the data but it is still necessary for the establishment, exercise or defence of a legal claim.

 

d. Right to object to processing

You may object to your data being processed if you have a legitimate reason and if the processing is based on your consent.

 

If you exercise your right to object, your data will no longer be processed. Where the processing is based on a legal obligation, the right to object does not apply.

 

We inform you that the modification or deletion will take place as soon as possible.

 

e. Right to be forgotten

You may request the deletion of your data in the cases listed in Article 17 of the GDPR: when it is no longer necessary for the purposes for which it was processed or collected, when your data must be deleted under a legal obligation, when it has been unlawfully processed or when you withdraw your consent for the purpose in question.

 

However, the deletion of such data may not be carried out when the processing is necessary, inter alia, for the exercise of the right to freedom of expression and information, for compliance with a legal obligation incumbent on the COMPANY, for the establishment, exercise or defence of legal claims.

 

f. Right to data portability

You have a right to the portability of the data you have transmitted. You will be able to access it in a structured, commonly used, machine-readable format. You may also request that this data be passed on to another controller where technically possible.

 

VI. Exercising rights

You may exercise your rights by contacting the DPO appointed by the COMPANY at the following email address dpo-ctb@ratpdev.com or by post at the following address: 40 rue de Courcelles, 75008 PARIS.

 

For any request to exercise your rights, the COMPANY may ask you to provide an official identity document (identity card, passport, driving licence, etc.) in order to verify that you are the person concerned by the data that is the subject of the request.

 

Responses to your requests will be sent to you electronically or on paper. The COMPANY undertakes to reply to any request as soon as possible and within a maximum of one month from receipt of your request. However, this period may be extended by two months when the request is complex or because of the number of requests received.

 

If the COMPANY cannot comply with your request, you will be informed within one month of receipt of your request. The reasons for the refusal will be clearly stated. You will then have the possibility of lodging a complaint with the CNIL and of taking legal action.

 

You are informed that in the event of manifestly unfounded or excessive requests, in particular because of their repetitive nature, the COMPANY may refuse to comply with your requests or demand payment of fees to compensate for the administrative costs incurred in responding to your requests.

 

VII. Security of personal data

The COMPANY implements all appropriate security measures to ensure the protection of the data collected, and in particular to prevent the destruction, loss, alteration, disclosure or unauthorised access of the Data.

 

To this end, security measures such as anonymization or encryption of data will be implemented. Measures to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services will also be taken.

 

You will be notified as soon as possible of any security breach affecting your data that may pose a high risk to your rights and freedoms.

 

 

VIII. Storage of personal data

The servers used by the COMPANY to store your personal data are located in France.

 

The COMPANY transmits certain personal data to its subcontractors providing services necessary for the performance of the services. Some subcontractors host personal data on servers located outside the European Union. Therefore, the COMPANY ensures that they are able to guarantee the same level of data protection as that required by the GDPR within the European Union.

 

IX. Changes to the Privacy Policy

When this Privacy Policy is changed, the update will be posted on the COMPANY's website or via an email stating the date of the update. We invite you to consult it regularly.