I. SCOPE OF APPLICATION AND DEFINITIONS
NOLINSKI PARIS (hereinafter “Nolinski”) is a French société par actions simplifiée registered at the Commercial and Companies Registry of Paris under the number 803 406 909, whose registered office is located at 17, avenue de l’Opéra – 75001 Paris, whose business activity is the operation and management of high-end hotels, spas and restaurants including related events associated with or hosted by these establishments.
Nolinski is a member of the hotel group known as Evok Hôtels Collection (hereinafter the “Evok Group”), which is coordinated by the partnership known as Evok Hôtels Collection SNC, located at 17, avenue de l’Opéra in the 1st arrondissement of Paris (hereinafter “Evok”)
Nolinski currently conducts its business within the framework of the following establishments (hereinafter the “Establishments”) and bespoke websites (hereinafter the “Websites”):
Within the framework of its business activities, Nolinski processes personal data within the meaning of the French Act of 6 January 1978 on computer technology, computer files and civil liberties and of the European Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data which entered into force on 25 May 2018, hereinafter “Processing”.
Personal data: personal data is any and all information relating to an identified or identifiable natural person, directly or indirectly, by reference to an identification number or to one or more factors specific to that natural person. To determine whether a person is identifiable, account should be taken of all the means enabling his or her identification which are available or accessible to the controller or to any other person.
Processing: Processing of personal Data means any operation or set of operations performed on such Data, whatever the means used, and in particular the collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, as well as locking, erasure or destruction.
Data Subject: a person concerned by the Processing of personal Data is the person to whom the Data which is the subject of a Processing relates.
The purpose of this Personal Data Processing Charter is to set out for the benefit of those persons coming into contact, or wishing to come into contact, in one way or another, with Nolinski, and in particular users of the Websites, the conditions according to which their Personal Data will be subject to Processing, and the rights of the Data Subjects in this regard.
II. DATA PROCESSED
1°) Categories of Data:
The Data liable to be processed by Nolinski, from whatever source they are collected, are the following:
Nolinski will only process specific Data where such are combined with a request presented by a Data Subject and that the Processing is necessary to the performance of the services thus requested. Specific Data which is revealed incidentally or allegedly by other non specific Data processed by Nolinski shall not be, per se, subject to Processing.
The Data above marked with an asterisk (*) are indispensable to the conclusion and efficacy of bookings, stays or services ordered, which cannot be validated or provided without disclosing such Data.
The other Data are necessary only to the extent where the Data Subject intends to procure performance of services whose contents or nature are dependent on the relevant Data; their supply is therefore strictly a matter of appraisal by the Data Subjects.
2°) Data Subjects:
Data relating to vital statistics and Contact data processed by Nolinski are collected from all persons coming or wishing to come into contact with Nolinski or with the Establishments: customers, prospective clients, suppliers, trade partners, press, job seekers etc., whether by visiting or browsing the Websites, by sending contact forms, via booking forms, e-mails or other correspondence, or verbally by phone or actual physical contact.
Personal-related data, Professional-related data, Specific data, Location data and Payment data are collected, as appropriate, according to what is stated in 2°), from all persons making a booking or a stay or other experience (meals, receptions, events, beauty care or use of the spa) within one of the Establishments, or more generally receiving a service or goods from one of the Establishments.
Minors. The Websites are designed for majors. Legal guardians of minors must take responsibility to monitor and supervise their use of communication tools, and in particular their web browsing behaviour.
3°) Data collected directly by Nolinski:
Nolinski will collect directly itself certain data in certain configurations, as follows:
4°) Data collected by Nolinski’s trade partners:
Nolinski processes Data relating to vital statistics, Contact data, Personal-related data, Professional-related data, Specific data, Location data, Payment data collected by the following persons which are Nolinski partners:
5°) Data collected via third-party Cookies enabled on the Websites
Nolinski processes Login data and Browsing data collected by the Cookies enabled by Nolinski and implemented on the Websites by Google, via Google Analytics and Adwords which are used by Nolinski.
Find out more about Cookies.
6°) Publicly accessible Data:
Nolinski also processes publicly accessible Data relating to vital statistics and Contact data, such as for instance, data supplied on a website, a telephone messaging service, the masthead in print publications, publicly available professional registers etc.
III. CHARACTERISTICS OF PROCESSING
1°) Activities giving rise to Processing:
The personal Data described in II 1° are processed by Nolinski within the framework of the following activities:
– Hotel, bar and restaurant services delivered by the Establishments, spa, beauty care and wellness services associated with the Establishments;
– Establishment Venues: organisation of cultural, artistic and entertainment or public relations venues;
– Sale of furniture and decorative items on display in the Establishments;
– Correspondences with people coming into contact with Nolinski (enquiries, candidacies, offers for goods or services etc.)
All categories of Data according to what is necessary to perform the service or to process the request and what is disclosed by the Data Subject.
Activity (ii) : Involvement of Nolinski and of the afore mentioned activities, in the business activity of the Evok Group (comprising: development of hotel establishments, restaurants, and wellness centres, conception of promotional strategies and tools, diffusion and communication of the Group, development of commercial packages, creation of events) in its development, in its communications, media exposure and commercial attraction strategy: Data relating to vital statistics, Contact data, Login data and Browsing data.
2°) Processing purposes:
Activities (i): the purposes of the Processing are:
– As a general rule: to satisfy, handle, process requests or offers of any kind addressed to Nolinski; to perform, improve, diversify and anticipate services requested by Nolinski’s clients in relation to their stay or experience at the Establishments:
– As concerns the hotel, bar and restaurant services and the spa, beauty care and wellness services associated with the Establishments, and as concerns Establishment Venues: to manage the capacity, organisation, reception desk and customer access services at the accommodation or at the Establishment; to satisfy specific customer requests during their stay or experience at an Establishment (meals, receptions, beauty care, use of the spa, valet parking, supply of smartphones, pet hospitality, babysitting etc.), to personalise or provide customer courtesy or loyalty services, to plan Nolinski’s resources and supplies, to pay for services;
-As concerns the Sale of furniture and decorative items on display in the Establishments: to ensure payment, supply, follow-up, deliver orders and to manage after sales services,
– As concerns other solicitations received by Nolinski: to respond to the contact, to possibly satisfy their request or accept their offer, even at a later date.
Activities (ii): The purpose of the Processing by Nolinski is the transmission of Data to the partnership known as Evok Hôtels Collection SNC, with the following purposes:
Data relating to vital statistics and Contact data: to provide trade communications, promotional and prospecting services relating to the development of the activities of the Evok Group, to implement loyalty programs (to provide a news feed relating to the Evok Group, in particular via the newsletter, invitations to public relations events and communications relating to commercial packages) by means of e-mailing and text messaging campaigns.
Login data and Browsing data: See the Cookies section.
For further details: see Evok’s Personal Data Processing Charter.
Activities (i) : Nolinski is the Controller.
Activities (ii) : Evok is the Controller.
4°) Basis for Processing:
Activities (i) : The Processing is based:
For the hotel and restaurant services delivered by the Establishments; the spa, beauty care and wellness services associated with the Establishments; Establishment Venues, comprising the organisation of cultural, artistic and entertainment or public relations venues; the Sale of furniture and decorative items on display in the Establishments: on performance of the contractual or pre-contractual service requested by the Data Subject ; on the implementation of the legal requirements of the Controller in particular as concerns account keeping and the archiving of business records and invoices; in addition, on the achievement of the legitimate interests pursued by Nolinski * in any case.
For all other solicitations received by Nolinski: on the achievement of the legitimate interests pursued by Nolinski or on the processing of the solicitation.
*The legitimate interests of Nolinski are in particular to successfully develop, maintain and constantly improve customer relations, to achieve their satisfaction, as well as to diversify and give incentive to its customer base, to maintain the quality of and renew its offering, to maintain an image and brand of luxury hotels, restaurants and venues which are viewed both as high-end, cultural, refined and diverse;
Data relating to vital statistics and Contact data. The Processing is based on the consent of the Data Subject and, for communication requirements directed at Nolinski’s customers and professionals affiliated with or interested in the business sector of Nolinski and Evok, on the achievement of the legitimate interests pursued by Nolinski and Evok*.
Login data and Browsing data. The Processing is based on the consent of the Data Subject, which is solicited from the very first visit to the Websites from which the Data are collected.
*The legitimate interests of Nolinski and Evok are in particular to develop the Evok Group and its establishments, to promote media exposure, commercial attraction, the quality and diversification of its offering and of its key achievements, to maintain and develop an image, a brand and a label of luxury or very high-end amenities.
It is recalled that the Controller in charge of the Processing carried out within the framework of the Activities (ii) is Evok. See Evok’s Personal Data Processing Charter.
5°) Contractual requirement of Data:
Only Data relating to vital statistics, certain Contact data (e-mail address and mobile phone number, postal address as appropriate), certain Personal-related data, certain Location data and the Payment data are necessarily required to conclude a booking and to perform a service; they are marked with an asterisk above and are specified to the Data Subject prior to each booking or purchase.
Other Data may be freely and voluntarily disclosed by Data Subjects within the framework of their specific requests.
6°) Recipients of the Data:
Data relating to vital statistics, Contact data, Login data and Browsing data collected or received by Nolinski are transmitted to Evok within the framework of the aforementioned Processing for which Evok is the Controller. See Evok’s Personal Data Processing Charter.
The performance of certain operations necessary to the Processing implemented within the framework of the Activities (ii) (database formatting and maintenance, storage of Personal data and Contact data) are carried out on behalf of Evok by the company known as Sarbacane Software SAS, registered at the Commercial and Companies Registry of Lille no. 509 569 598, whose registered office is located at 3 avenue Antoine Pinay – Industrial Estate (ZA) “des Quatre Vents” – 59510 HEM, acting in a processor capacity. See Sarbacane’s Personal Data Processing Charter.
The Data collected or received by Nolinski are not transmitted by Nolinski, or by Evok, to any other recipient apart from, as applicable, the legally empowered authorities, within the framework of a specific assignment or of the exercise of a right of communication.
7°) Data retention period:
The Data will be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which they are processed.
Where Processing is based on the Data Subject’s consent, the Data processed will only be kept by Nolinski for as long as the consent prevails.
Any new disclosure of Data, even where such have already been disclosed beforehand by the Data Subject, according to one or the other of the means of collection mentioned under section II “Data processed” will trigger a new retention period, irrespectively of the previous retention periods.
Personal-related data, Professional-related data, Specific data, Location data and Payment data are kept for the period necessary to the performance of the contractual and pre-contractual services requested by Data Subjects and for which such Data are disclosed.
Personal-related data and Professional-related data, can be kept for an additional period of one year from the end of the Data Subject’s stay or experience within the Establishment.
Specific data are only kept for the period strictly necessary to the performance of the contractual or pre-contractual services requested by Data Subjects and for which such Data are disclosed, or to Nolinski’s adherence to legal requirements (in particular storage and archiving of nominal invoices, book keeping and other accounting or tax requirements).
Payment data are kept for the period strictly necessary to each payment in view of which they are disclosed and to Nolinski’s adherence to legal requirements (in particular storage and archiving of invoices, book keeping and other accounting or tax requirements).
1°) Definition :
A Cookie is a tracking tool which consists of a small computer file or a short alphanumeric combination, which is automatically installed or read by a network provider or a website on the terminal device (computer, mobile phone, tablet, video games console) of the Data Subject, that can access the data already stored in said terminal, or write or store information on that device.
2°) Purposes to the use or enabling of Cookies and information transmitted by Cookies:
The operation of the Websites requires the implementation of the following Cookies, which are presented according to the functionalities provided by each type of Cookie :
– Implementation and facilitation of electronic communication and supply of online communication services, exclusively: Functional cookies;
– Improvement of Website browsing experience; organisation of visualized content (including Google Maps interactive maps and YouTube videos), saving of personal data already entered by the Data Subject, tracking of user preferences and options, for instance for the efficiency of a booking, saving services already requested: Efficiency cookies;
– Measuring web traffic: Web traffic cookies;
– Monitoring browsing habits (Websites and pages visited, search history and search terms used) and preferences of Data Subjects in view of customized ads: Advertising cookies; Advertising cookies are also installed by Google via YouTube videos and Google Maps interactive maps accessible on the Websites: the data collected (login, location and browsing data) are not processed by Nolinski but by Google ;
– Promotion of the websites and improvement of their user-friendliness, via social media sharing functionalities (Facebook, Twitter, Instagram, Google+, Pinterest, Linkedin), by means of the share button enabling web browsing to be tracked by the websites of these social media, whether or not these buttons or links are hit by the Website user: Social media cookies. The Data collected by these Cookies are not processed by Nolinski, but by the aforementioned social media operators.
3°) Consent of Data Subjects:
The use of Efficiency cookies, Advertising cookies, Web traffic cookies and Social media cookies, that is to say all Cookies apart from functional Cookies, implies the consent of the Data Subject.
In accordance with article 32 II of the act of 6 January 1978, the consent of the Data Subject can result from his or her connection settings. Website users are prompted to check or alter their settings before pursuing their browsing experience on the Website. By continuing to browse the Website, that is to say by visiting another page of the Website from the Website or by clicking on any item of the Website (image, link, thumbnail etc.), the Data Subject expresses his or her consent to the use of the above mentioned Cookies.
4°) Cookies’ validity period:
5°) Blocking or Managing Cookies:
Click on the browser menu (Safari, Mozilla etc.), then choose “Preferences” or “Settings” or “Tools”; then proceed as follows depending on your web browser:
Safari: “Privacy” > “Cookies and website data”: choose the desired options; to block cookies entirely, select: “Always block” and check the box “Website tracking: Ask websites not to track me” if not already checked;
> also, to manage Data and Cookies already stored on the terminal: “Manage website data”: make the desired data deletions by selecting the Data and Cookies sources and categories in the panel then by clicking the “delete” button;
Mozilla Firefox: “Privacy and Security” > “Cookies and site data”: make the desired settings, after consulting the “Learn more” section;
– to block all Cookies : click the button “Block Cookies and site data (may cause websites to break)” ;
– to manage Cookies: click on the button “Enable Cookies (recommended)” and select among the proposed options (i) keep Cookies: to limit to the maximum extent possible, select “until I close Firefox”, (ii) accept third-party Cookies: to limit to the maximum extent possible, select “Never” ;
– also, with the use of the three buttons “Clear Data”, “Manage Data” or “Manage Permissions”, the user can delete all (“Clear”) or part (“Manage”) of the Data and Cookies already stored on the terminal or authorise certain Websites only to use these Cookies (“Manage Permissions”) ;
Internet Explorer: “Internet Options” > Thumbnail “Privacy” > “Advanced” button to prompt the window “Advanced Privacy Settings” > check the box “Override automatic cookie handling”, then select the desired option: accept, block or be prompted to determine the desired configuration for first-party and third-party Cookies.
Chrome: “Show advanced settings” (at the bottom), then in the Privacy Section click on “Content settings” then “Cookies” section, then:
– to delete all or specific Cookies : “All cookies and site data” > “Remove all”; or mouse over the name of the website and Delete
– to change the default settings relating to Cookies: turn “Allow sites to safe and read cookie data” on or off; turn on “Block third-party cookies” to block third-party Cookies;
to block Cookies for a specific site only: next to “Block”, “Clear on exit” or “Allow” click “Add”, then enter the Website address and click “Add”.
Other specific solutions:
Besides the general settings of your browser, there are solutions to control, manage or personalise, depending on their purpose or the entity using the Cookies.
Advertising cookies. These Cookies are implemented by Nolinski via Adwords provided by Google (Google services). To disable these: https://policies.google.com/technologies/product-privacy?hl=fr, then “Control your ads settings” and select the desired options.
Advertising Cookies used by Google can be disabled on: https://policies.google.com/technologies/cookies?hl=fr&gl=fr, and by clicking on “ad settings”, or further still on: https://policies.google.com/privacy?hl=fr&gl=fr then “Your privacy controls”.
As a general rule, most advertising Cookies can also be controlled via an online choice platform: www.youronlinechoices.eu, http://optout.aboutads.info/?c=2&lang=EN (USA) or https://youradchoices.ca/.
Google Maps and You Tube Cookies: go to: https://policies.google.com/technologies/product-privacy, then select the desired options in each menu. The Google Maps terms of service are also available by clicking on the link on the interactive map.
Web traffic cookies. These Cookies are implemented using the Google Analytics tool provided by Google. Users can disable these by installing the opt-out browser add-on at: https:// support.google.com/analytics/answer/181881 ?hl=fr.
Social media cookies, implemented via the share buttons accessible on the Websites. Social media networks generally provide for the possibility to block, manage or personalise Social media cookies via an add-on available to all, network members and non-members alike, as well as via the settings of the member’s account. To manage the Cookies, go to: Facebook and Instagram (and other Facebook products) : https://www.facebook.com/policies/cookies/ ;
Pinterest : https://policy.pinterest.com/fr/cookies ;
Cookies personalisation page. Users can also visit, on each Website, the page devoted to the Personalisation of Cookies.
6°) Consequences of a refusal or objection:
Objections to Functional cookies, in particular if the user objects to all Cookies, will make operation of the communication service impossible. The user will not be able to browse the Website.
Objection to Efficiency cookies will not bar access to the Websites and to their functionalities, but may lead to a less efficient and less seamless browsing experience and to the reduced performance of the Websites’ functionalities and services, including booking services.
VI. RIGHTS OF THE DATA SUBJECT
1°) Right of access:
The Data Subject, providing proof of identity, shall have the right to question the Controller in view of obtaining:
At the request of the Data Subject, a copy of the personal Data which concerns him or her will be sent to him or her by the Controller. For any further copies, the costs associated with the reproduction and delivery thereof will be for the account of the Data Subject.
The Controller will not respond to manifestly unreasonable requests, in particular due to their number, or because of their repetitive or systematic character.
2°) Right to rectification:
The Data Subject, providing proof of identity, shall have the right to obtain, without undue delay, the rectification of inaccurate personal Data concerning him or her. Taking into account the purposes of the Processing, the Data Subject shall have the right to have incomplete personal Data completed, including by means of providing a supplementary statement
3°) Right to erasure:
The Data Subject, providing proof of identity, shall have the right to obtain from the Controller the erasure, without undue delay, of personal Data concerning him or her, where one of the following grounds applies:
4°) Right to restriction of Processing:
The Data Subject, providing proof of identity, shall have the right to obtain restriction of Processing where one of the following cases applies:
Where Processing has been restricted under this paragraph, such Data shall, with the exception of storage, only be processed with the Data Subject’s consent, or for the exercise of legal claims, for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
A data subject who has obtained a restriction of Processing pursuant to this paragraph will be informed before the restriction is lifted.
5°) Data portability:
Where the Processing is based on the consent of the Data Subject or on performance of the contract or on the pre-contractual measures requested by the Data Subject and that the Processing is carried out by automated means, the Data Subject shall have the right, without prejudice to the right contemplated in 3°) and to the rights and freedoms of third parties, to receive the Data concerning him or her, which he or she provided to the Controller in a structured, commonly used and machine-readable format and to transmit those Data to another Controller, or to have the Data transmitted directly to another Controller, where this is technically feasible.
6°) Right to object:
The Data Subject may object at any time, on legitimate grounds, to the Processing of his or her Data that should be based exclusively on the legitimate interests pursued by the Controller or by a third party authorised by the Controller.
The Data Subject shall have the right to object, at no expense, and at any time, to the Data concerning him or her, being used for direct marketing purposes, in particular commercial marketing, including for the purpose of profiling where such is related to such direct marketing, by the current Controller for such processing or the controller for any subsequent processing.
The exercise of this right shall not adversely affect the lawfulness of the Processing carried out prior to the exercise of the right to object.
7°) Withdrawal of consent:
Where Processing is based on consent of the data subject, the latter shall have the right to withdraw his or her consent at any time.
The exercise of this right shall not adversely affect the lawfulness of Processing based on consent before its withdrawal.
8°) Automated individual decisions, including profiling:
Unless he or she has granted express consent or that the conclusion or performance of the contract so requires, the Data Subject shall have the right not to be subject to a decision based solely on automated Processing, including profiling, which produces legal effects or similarly significantly affects him or her.
9°) Instructions relating to the Processing of Data after death:
Any data subject may issue instructions relating to the storage, erasure and disclosure of his or her personal Data after his or her death. These instructions may be either general or specific. Instructions of a general nature concern all personal Data relating to the Data Subject and can be recorded with a digital trusted third party certified by the Commission nationale de l’informatique et des libertés. Instructions of a specific nature concern the Processing of personal data mentioned by these instructions. They are recorded with the relevant Controllers. General and specific instructions define the manner according to which the data subject intends for the rights mentioned in this section to be exercised after his or her death.
The Data Subject can alter or revoke his or her instructions at any time.
These instructions may appoint any person as an executor. That person will then be entitled, when the Data Subject dies, to examine the instructions and to request the relevant Controller to implement these. Failing such appointment, or, save instruction to the contrary, in the event of death of the appointee, his or her heirs are entitled to examine the instructions upon the death of their predecessor in title and to request the relevant Controller to implement these.
10°) Exercise of rights with respect to the Controller
The Data Subjects shall exercise the rights contemplated in this section by sending their requests or instructions by post or e-mail to:
Evok Hôtels Collection SNC
Personal Data Protection
17, avenue de l’Opéra – 75001 Paris
Requests must include due documentary evidence of the identity of the person responsible for the request. In the event of reasonable doubt, the Controller may ask for additional information necessary to confirm such identity.
That person must indicate in his or her request, the rights that he or she intends to exercise, as well as the Data and the Processing (purposes, basis) to which such exercise pertains and where applicable, the instructions, that he or she intends to send the Controller.
Incomplete requests will not be processed. In any event, the Controller reserves the right to claim any additional information necessary to the implementation of the rights invoked.
11°) Complaints with the supervisory authority:
Without prejudice to any other effective judicial or administrative remedy, any Data Subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which he or she has his or her habitual residence, his or her place of work or in the location where the violation was allegedly committed, if he or she considers that the personal Data Processing concerning him or her is an infringement of the regulatory framework relating to the protection of personal data.
In France, the supervisory authority is the Commission Nationale de l’Informatique et des Libertés (CNIL) located at 3, place de Fontenoy- TSA 80715 – 75334 Paris Cedex 07.
VII. PERSONAL DATA PROTECTION OFFICER
Mrs Solenn GUBRI is appointed as the Personal Data Protection Officer (PDPO) for the entire Evok Group, including Nolinski.
Data subjects can contact the PDPO regarding any issues relating to the processing of their personal data and to the exercise of the rights they are conferred by the General Data Protection Regulation.
To contact the PDPO:
– by post
Evok Hôtels Collection SNC
Personal Data Protection
For the attention of the Personal Data Protection Officer
17, avenue de l’Opéra – 75001 Paris
– by e-mail: firstname.lastname@example.org