PERSONAL DATA PROCESSING POLICY
Version as of March 18, 2020
In application of the law n ° 78-17 of January 6, 1978 modified relating to data processing, files and freedoms, of the European regulation on the protection 2016/679 relating to the protection of the natural persons with regard to the processing of personal data and the free movement of such data, the Company informs any person accessing the services offered on the Site (hereinafter, the"User") of its commitment to respect the confidentiality, integrity and security of the data that the User will be required to communicate to it through the website www.bodyfriend.fr (hereinafter, the "Site").
Any personal data identifying the User directly (in particular his surname, first name, postal, electronic, telephone details) or indirectly are considered confidential data and are treated as such, subject to the evolution of the legal framework on the qualification of personal data (hereinafter, the "Personal data").
1. Identification of the data controller
The data controller who collects and manages User data on the Site is Bodyfriend Europe, a simplified joint stock company with capital of €10.800.000,00 whose head office is located at 91, rue du Faubourg-Saint-Honoré, 75008 Paris , registered in the Paris Trade and Companies Register under the unique identification number 845 191 923, represented by its president, Mr. Changjoo Kim.
2. Personal data likely to be collected
When browsing the Site and using the various services offered by the Company, the User consents to the Company collecting the following categories of data:
- Personal identification data: surname, first name, postal address, email address, telephone number;
- Login data: IP address, password.
The User undertakes to provide up-to-date and valid Personal Identification Data, as part of the information required on the Site, and guarantees not to make any false declarations and not to provide any erroneous information.
3. Method of collecting Personal Data
The User consents to the Company collecting his Personal Data when he completes the following documents:
- User account creation form;
- Subscription to the Company's newsletter;
- Payment form;
4. Legal Basis for Collecting and Processing Personal Data
Personal Data of Users is collected on the basis of the following legal bases:
- The specific, free and informed consent of the User (in particular for the creation of the User account and the subscription to the newsletter);
- The performance of a legal obligation incumbent on the Company;
- The execution of a contract concluded between the Company and the User (in particular for the execution of the general conditions of use/sale);
- The legitimate interest of the Company (in particular to ensure the security of transactions).
5. Purpose of processing Personal Data
Mandatory Personal Data is data that is strictly necessary for processing or for User requests. In the absence of communication of said data, the User is informed that certain services offered by the Company cannot be provided to him. The mandatory nature of the information requested is indicated to the User during collection.
The optional Personal Data collected by the Company is intended to better know the User and to improve his browsing experience on the Site.
Personal Data is collected and processed for the following purposes:
- Creation of the User account;
- Subscription to the Company's newsletter;
- Contact and assistance;
- Business relationship management;
- Business development;
- Service improvement;
- Management of operations relating to the management of services (contracts, invoices, orders, etc.);
- Access to the personal space of the Site (accessible by login and password);
- Management of purchases / delivery of ordered products.
Users are informed that, subject to their prior, specific, and positive consent, the Personal Data transmitted may be transferred to commercial partners of the Company and/or to companies belonging to the same group as the Company, so that the latter inform Users about their offers and services.
6. Duration of retention of Personal Data
personal data, transmitted directly, are erased or archived at the end of a period of five (5) years after the last Use of the Site by the User.
This data may also be kept for a period of ten (10) years thereafter in the archive database, with restricted access, in order to (i) comply with the legal and regulatory obligations of the Company, and/or (ii) allow it to assert a right in court, and this before being definitively deleted.
Data collected automatically of the "web analytics" type relating to your browsing, the duration of your consultation, your IP address, your browser type and version will be saved for a maximum of 13 months.
7. Recipient of Personal Data
The User's Personal Data is intended for persons duly authorized to process them within the Company, in particular, and depending on the nature of the processing and the type of data, the persons in charge of the sales department, customer service, marketing department , the administrative department, the logistics and IT department.
As part of the exercise of its activities and the provision of its services, the Company uses subcontractors.
- process the User's Personal Data on its behalf, and on its instructions;
- present sufficient guarantees as to the implementation of the appropriate technical and organizational measures, in order to ensure the security and confidentiality of the User's data.
In cases where the Company uses subcontractors located in countries offering levels of protection not equivalent to the level of protection of personal data in the European Union, the Company undertakes that said transfer be supervised by the Data Protection Shield set up between the European Union and the United States ("Privacy Shield") or by signing standard contractual clauses established by the European Commission or even by setting up internal rules Corporate (“BCR”).
8. Measures implemented by the Company to ensure the security and confidentiality of Personal Data
The Company undertakes to process Personal Data in a manner:
- within the strict framework of the purposes pursued and announced;
- for the duration necessary for the treatments put in place;
The Company implements and updates appropriate technical and organizational measures to ensure the security and confidentiality of Personal Data by preventing it from being distorted, damaged or communicated to unauthorized third parties.
9. Users' Rights to Personal Data
It is possible for the User, upon simple written request, to access the Personal Data concerning him, to request their modification or rectification, or to demand that he no longer be included in the Company's database.
Under the permission to access, the User is authorized, in accordance with Article 15 of the GDPR, to question the Company in order to obtain (i) the communication of the Personal Data concerning him in an accessible form, (ii) confirmation that his Personal Data is or are no longer subject to processing, (ii) the communication of the purposes of the processing, the categories of Personal Data processed and the recipients to whom his Personal Data are communicated and (iv) the retention period of his Personal Data or well the criteria used to determine this duration.
In accordance with Article 16 of the GDPR, the right of rectification grants the User the right to require the Company to rectify, complete or update their Personal Data when they are inaccurate, incomplete, ambiguous or out of date.
Under the conditions provided for in Article 17 of the GDPR, the User has a right to erasure of personal data, allowing him to ask the Company to erase his Personal Data as soon as possible, in particular when they are no longer necessary with regard to the purposes for which they are collected.
The User also has a right to limitation the processing of his Personal Data in the cases listed in Article 18 of the GDPR. He can thus request that his personal data be kept only for the purposes of:
- verify the accuracy of the Personal Data it disputes;
- serve him in the context of the recognition, exercise or defense of his rights in court, even though the Company no longer has any use for it;
- check whether the legitimate reasons pursued by the Company prevail over his own in the event that he opposes the processing based on the legitimate interest of the Company;
- satisfy his request for limitation of the use of his data - rather than erasure - in the event that the processing of his data is
Under the circumstances provided for in Article 20 of the GDPR, the User has a right to portability of his Personal Data, allowing him to recover from the Company the Personal Data he has provided to it, in a structured, commonly used and machine-readable format, for the purpose of transmitting them to another data controller.
In accordance with article 21 of the GDPR, the User has the right to oppose, at any time, to the processing of his Personal Data for commercial prospecting purposes.
In accordance with article 85 of law 78-17 of January 6, 1978 relating to data processing, files and freedoms, the User has the possibility of define specific directives relating to the storage, erasure and communication of personal data post-mortem. These specific directives will only concern the processing implemented by the Company and will be limited to this sole scope.
To exercise his rights of access, rectification, erasure, limitation, portability and opposition referred to above, the User need only send his request by e-mail to the following address: firstname.lastname@example.org
The Company will provide the person who exercises one of these rights with information on the measures taken, as soon as possible and in any event within one (1) month of receipt of the request. This period may be extended by two (2) months, given the complexity and number of requests.
If the Company does not respond to the request, it will inform the person, as soon as possible, and at the latest within one (1) month of receipt of his request, of the reasons for his inaction and the possibility of lodging a complaint with a supervisory authority and of lodging a judicial appeal.
The exercise of these rights is free of charge. However, in the event of a manifestly unfounded or excessive request, the Company reserves the right (i) to require the payment of fees taking into account the administrative costs, or (ii) to refuse to respond to these requests.
10. Remedies for Personal Data Breaches
In the event of a violation of its Personal Data likely to create a risk for its rights and freedoms, the Company notifies the violation to the CNIL as soon as possible, and, if possible seventy-two (72) hours at the latest after to acknowledge. The Company will also inform the User thereof, as soon as possible in accordance with the provisions of Article 34 of the GDPR.
Without prejudice to any other administrative or judicial remedy, the User who considers that the processing of his Personal Data constitutes a violation of the provisions of the legislation in force may lodge a complaint with a competent supervisory authority such as the National Commission for Computing and Liberties (CNIL).
11. Request for information
For any questions regarding the processing of their personal data and the exercise of their rights, Users may contact the dedicated department by email at the following address: email@example.com