The data controller is RATP DEVELOPPEMENT, public limited company governed by an executive board and a supervisory board with a share capital of 517 301 072,70 euros located at 54, Quai de la Rapée 75012 Paris (France) and registered in the Paris Trade and companies register under number 389 795 006 (herein after referred to as the “Company”).
The Company has appointed a Data Protection Officer (hereinafter “DPO”) that you may contact at the following email address: firstname.lastname@example.org or at the postal address:
Délégué à la protection des données
54 Quai de la Râpée,
75012 Paris, France
II. Type of personal data
Personal data collected by the Compagny as part of the services it offers are as follows:
- identifying data (Last name, first name, date/place of birth, nationality) ;
- contact data (email and postal address, phone number) ;
- navigation data (searches, number of visits, date of the last visit…).
III. Purposes of processing
The Compagny processes your data in the framework of the execution of the services the company offers. Furthermore, the processing is necessary regarding to legitimate interests in order to ensure a good functioning of services as well as for the title of legal requirements.
First of all, it includes the management of subscription to email alerts, the management of customer relation, the realization of satisfaction survey, the execution of services and the sending of diffusion of information concerning the evolution of our services.
The Compagny also process some data for statistical and archival purposes.
When necessary, personal data are processed in order to manage your user account, the sending of newsletter or the sending of traffic information in real time.
IV. Time of retention
The length of time that the Compagny retains your personal data includes the period of the contractual relationship as well as the statutory limitation periods.
It is specified that the ticketing data are kept for a maximum duration of 48 hours.
V. Recipients of personal data.
a. The Compagny
RATP DEVELOPPEMENT collects data necessary to ensure the proper functioning of services and delivery. Every collaborator of RATP DEVELOPPEMENT entitled to access data sign a confidentiality agreement.
The Compagny may work with subcontractors in order to perform some services. The subcontractors carry out data processing only for the execution of the services offered by the Compagny.
The Compagny contractually impose to its subcontractors to respect all of the regulation concerning confidentiality, technical and organizational measures in a way that data process follow the current legislation and ensuring a protection of customers’ rights.
c. Competent authorities
The Compagny may be required to transmit some personal data to the competent authorities, such as the public authorities, the Commission Nationale de l’Informatique et des Libertés (“CNIL”) or the Direction Générale de la Concurrence, de la Consommation et de la Répression des Fraudes (« DGCCRF »).
VI. Rights of the data subject.
a. Right of access.
You have the right to access the personal data that concerns you. You have the right to receive confirmation from the controller that the data about you is or is not being processed.
If you exercise this right, the Compagny will provide you with a copy of the characteristics of the processing carried out on your data (the purposes of the processing, the categories of data concerned, etc.).
This information will be provided to you either electronically or in paper format. You may obtain a copy of your personal data subject to the respect of the rights of others.
b. Right to rectification
If you find that the data concerning you are incorrect or incomplete, you have the right to ask for the correction or the completeness of this information.
c. Right to restriction of processing
You have the right to obtain from the controller the restriction of your personal data processing in particular when you contest the accuracy of data, when the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead or when the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims.
d. Right to object a data processing
You have the right to object the processing of your personal data, at any time, if you have legitimate ground and if the process is based on your consent.
Once you use your right to object, your data will no longer be processed. Where the processing is based on a legal regulation, the right to object would not be applicable.
We inform you that the modification or deletion will intervene without undue delay and at the latest within eight (8) working days from the receipt of your request.
e. Right to be forgotten.
You have the right to obtain from the controller the erasure of your personal data without undue delay in accordance with the following grounds:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed ;
- the personal data have been unlawfully processed ;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject ;
However, the erasure of these data may not be effected when the processing is necessary for the exercise of the right of freedom of speech, for the fulfillment of a legal obligation or to the ascertainment, use or defense of rights in front of a court.
f. Right to data portability
You have the right to portability for the data you transmitted. You may access to those data in a structured format, commonly used and readable by machine. You also may request your personal data to be transmit to another data controller when technic permits it.
VII. Exercise of rights
Délégué à la protection des données
54 Quai de la Râpée,
75012 Paris, France
For any request to exercise your rights, the Compagny may ask you to send an official identity document (ID card, passport, license driver) to verify that you are the data subject of the data you are requesting.
The answers to your requests will be communicated to you electronically or in paper form.
The Compagny undertakes to respond to any request as soon as possible and within a maximum of one month from the receipt of your request. However, this period may be extended by two months when the request is complex or because of the number of requests received.
If the Compagny cannot respond to your request, you will be informed within one month of receipt of your request. The reasons for refusing you will be clearly indicated. You will then have the possibility to lodge a complaint with the CNIL and to form a judicial appeal.
You are informed that in the case of requests that are manifestly unfounded or excessive, in particular because of their repetitive nature, the Compagny may refuse to grant your requests or require the payment of fees to offset the administrative costs incurred in responding to your requests.
VIII. Personal data security
The Compagny implements all appropriate security measures to ensure the protection of the data collected, and in particular to prevent the destruction, loss, alteration, disclosure or unauthorized access of the Data.
To this end, security measures such as data encryption will be implemented. Measures to ensure the ongoing confidentiality, integrity, availability and resiliency of treatment systems and services will also be taken.
Any breach of security affecting your data and likely to create a high risk for your rights and freedoms will be notified to you as soon as possible.
IX. Storing of personal data
The servers used by the Compagny to store your personal data are located in the European Union.
The Compagny transmits certain personal data to its subcontractors providing services necessary for the performance of services. Some subcontractors host personal data on servers located outside the European Union. Therefore, the Compagny ensures that they are able to guarantee the same level of data protection as that required by the RGPD within the European Union.