Privacy Policy

PREAMBLE

Article 1.  Parties to this contract 

Between the undersigned:

 1° MAIAN, joint stock company, registered on Annecy Trade and Companies Register under number 908 864 911, with registered office at 130 avenue de Genève, 74000 Annecy, and with VAT number FR17908864911.

Hereinafter referred to as the “Controller” 

And

2° Any natural person 

  •  browsing the Controller’s website;

AND/OR

  • benefiting from the hotel services and/or related services offered by the Controller.

Hereinafter referred to as the “Data Subject”. 


The parties have agreed as follows:

Article 2.  Purpose 

The present Privacy Policy shall apply, without restrictions or reservations, between the Data Subject and the Controller.

The purpose of the present Privacy Policy is to provide information regarding the way in which the Controller collects and processes the Data Subject's Personal Data, in compliance with the legislation in force, and in particular European Regulation n° 2016/679 and law n°78-17 (hereinafter referred to as the “Legislation”), in relation to:

  • The hotel services and related services offered by the Controller to the Data Subject (hereinafter referred to as the “Service”);
  • The website www.hoteltarentaise.com (hereinafter referred to as the “Website”). 

AGREEMENT

Article 3.  Principles of Personal Data Processing

In compliance with the Legislation, the Controller shall undertake to respect the following principles in the Processing of all Personal Data: 

  • Lawfulness;
  • Fairness;
  • Transparency;
  • Purpose limitation;
  • Data minimisation;
  • Accuracy;
  • Storage limitation;
  • Integrity;
  • Confidentiality:
  • Responsibility;

Article 4.  Personal Data subject to Processing

As the Data Subject browses the Website and/or in the Controller’s performance of a Service, the Controller is required to collect and process certain Personal Data, notably:

  • Personal information (name, surname, gender, postal address, email address, telephone number, date of birth, nationality);
  • Bank details (credit card number);
  • Copies of your identity documents (identity card, passport, driving license);
  • Information on your stay (arrival and departure date, reservation number);
  • Preferences (type of bedding, smoker/non-smoker, diet, allergies, special requests);
  • Technical information (browsing behavior on the Website, IP address).

Article 5.  Context of the Processing

The Data Subject’s Personal Data may be collected and processed by the Controller on various occasions, notably:

  •  Performance of a Service; some text
    • Room reservations; 
    • Registration and payment;
    • Requests and complaints;
  • Transmission of Personal Data by a Third Party;
  • Browsing on the Website; some text
    •  Logging onto the Website;
    • Contacting the Controller on the Website;

Article 6.  Purpose of Processing and storage of Personal Data

Purpose of Processing

Legal basis for Processing

Duration of storage of Personal Data

Performance of the Services and compliance with accounting standards

  • Contract:
  • Legal obligation;
  • Legitimate interest of the Controller to manage the Services and provide the Data Subject with the Services requested.

10 years from the date of reservation

Management of consumption and access to rooms

  • Contract:
  • Legitimate interest of the Controller to manage the Services and provide the Data Subject with the Services requested.

3 years from the end of the Data Subject’s stay

Management of commercial relations and sales leads

  • Consent of the Data Subject.

3 years from the date of last contact with the Data Subject

Improvement and personalisation of the Services

  • Contract:
  • Legitimate interest of the Controller to improve and personalize its Services. 

3 years from the date of last contact with the Data Subject

Complaints management

  • Contract:
  • Legitimate interest of the Controller to improve and personalize its Services. 

3 years from the date of last contact with the Data Subject

Security of premises

  • Legitimate interest of the Controller to ensure that the premises are secure. 

1 month

Security and improvement of the Website

  • Legitimate interest of the Controller to manage and administer the Website, ensure that it is secure, and prevent fraud and malicious acts.

13 month
 

Statistics

  • Legitimate interest of the Controller to improve its Services 

3 years from the date of last contact with the Data Subject

Compliance with the Legislation

  • Legal obligation. 

Duration defined by the Legislation

The Controller reserves the right to anonymise the personal data subject to Processing before erasing it. 

Article 7.  Recipients of Personal Data

In principle, the Controller is the sole Recipient of all Personal Data. 

In its performance of a Service, the Controller may be obliged to transfer the Personal Data to external or internal Recipients.

The following Recipients may be required to process your personal data:

  • The Controller’s hotel staff;
  • The Controller’s processor;
  • Banks;
  • Credit card issuers;
  • Website hosts;
  • The Controller’s business partners;
  • The DPO; 
  • The authorities. 

The Controller shall undertake to require sufficient guarantees from the Recipients that they will implement appropriate technical and organizational measures in such a manner that Processing meets the applicable legal and regulatory requirements and ensures the protection of the rights of the Data Subject.
 

The Controller may communicate the Personal Data that is subject to Processing with any Recipient or Third Party whenever there is a legal obligation to do so or when the Controller believes, in good faith, that it is necessary to do so in order to:

  • Respond to a complaint against it; 
  • Comply with legal or administrative requirements;
  • Enforce any contract to which the Data Subject is a party;
  • Protect the vital interests of any natural person;
  • Carry out a task in the public interest. 
  • If the Controller is acquired by a Third Party, the Controller reserves the right to share the Personal Data with the acquiring Third Party, subject to the Third Party complying with the present Privacy Policy. 

Article 8.  Transfer of Personal Data outside of the European Union

The Controller shall store all Personal Data on secure servers located within the European Union. 

The Controller shall only transfer the Personal Data outside of the European Union if express prior authorisation is granted by the Data Subject. 

Article 9.  Data Subject’s rights over their Personal Data

The Data Subject has a number of rights over their Personal Data that he or she may exercise, unless otherwise stated in the applicable legislation or regulations, by submitting a request to the DPO.

The DPO shall assist the Data Subject in exercising their rights over their Personal Data with the Controller. 

If there is reasonable doubt over your identity, the DPO may ask you to attach a copy of an official ID document to support your request. 

Requests shall be processed as quickly as possible, and no later than the deadlines stipulated by the Legislation.

Article 10.1. Right of access

The Data Subject shall have the right to obtain from the Controller confirmation as to whether or not Personal Data concerning him or her are being processed, and, where that is the case, access to the Personal Data and the following information: 

  • The purposes of the processing;
  •  The categories of Personal Data concerned;
  • The Recipients or categories of Recipient to whom the Personal Data have been or will be disclosed, in particular Recipients in third countries or international organizations;    
  • Where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;
  • The existence of the right to request from the Controller rectification or erasure of Personal Data or restriction of processing of Personal Data, or to object to such processing;
  • The right to lodge a complaint with a supervisory authority;
  • Where the Personal Data are not collected from the Data Subject, any available information as to their source;
  • The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.

The Controller shall provide a copy of the Personal Data undergoing Processing. For any further copies requested by the Data Subject, the controller reserves the right to charge a reasonable fee in line with administrative costs. 

Article 10.2. Right to erasure and rectification

The Data Subject shall have the right to obtain from the Controller the rectification and/or erasure of inaccurate or outdated Personal Data without undue delay, unless the circumstances prevent the Data Subject from exercising this right, notably:

  • The exercise of the right to freedom of expression and information;
  • Compliance with a legal obligation;
  • Public interest in terms of public health, archiving, scientific and historical research, and statistical research;
  •  The establishment, exercise or defense of legal claims.

Article 10.3. Right to object

The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to the Processing of his or her Personal Data which is based on the performance of a task carried out in the public interest or for the purposes of the legitimate interests pursued by the Controller. 

The Controller shall no longer process the Personal Data unless the Controller demonstrates compelling legitimate grounds for the Processing which override the interests, rights and freedoms of the Data Subject, or for the establishment, exercise or defense of legal claims. 

The Data Subject shall also have the right to object at any time to the Processing of his or her Personal Data by the Controller for the purpose of direct marketing, where the Data Subject is related to such direct marketing. 

Finally, where Personal Data are processed for scientific or historical research purposes or statistical purposes, the Data Subject, on grounds relating to his or her particular situation, shall have the right to object to the Processing of his or her Personal Data, unless the Processing is necessary for the performance of a task carried out for reasons of public interest.

Any consumer has the option of registering free of charge on the BLOCTEL telephone cold calling opposition list

Article 10.4. Right to restriction of processing

The Data Subject shall have the right to obtain from the Controller restriction of the Processing of his or her Personal Data where one of the following applies:

  •  The accuracy of the Personal Data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the Personal Data;
  • The Processing is unlawful and the Data Subject opposes the erasure of the Personal Data and requests the restriction of their use instead;
  • The Controller no longer needs the Personal Data for the purposes of the Processing, but they are required by the Data Subject for the establishment, exercise or defense of legal claims;
  • The Data Subject has objected to Processing pursuant to Article 10.3, pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.

Any Data Subject who has obtained the restriction of Processing of their Personal Data shall be informed by the Controller before the restriction of Processing is lifted. 

Article 10.5. Right to data portability 

The Data Subject shall have the right to receive the Personal Data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format, and shall have the right to transmit those data to another controller without hindrance from the Controller, where:

  • The Processing is based on the Data Subject’s Consent or on the performance of a contract to which the Data Subject is a party;
  • The Processing is carried out by automated means.

In exercising his or her right to data portability, the Data Subject shall have the right to have their Personal Data transmitted directly from the Controller to another controller, where technically feasible. 

Article 10.6. Right to lodge a complaint with the Supervisory Authority

The Data Subject shall have the right to lodge a complaint with the Supervisory Authority if he or she believes that the Controller is illegally Processing Personal Data. 

Article 10.7. Right to define instructions for the management of Personal Data

The Data Subject shall have the right to define instructions for the management of his or her Personal Data following his or her death with the Controller, who will employ all available technical means to ensure that this wish is respected. 

Article 11.  Security of Personal Data

The Controller shall take all suitable technical and organizational measures to protect the Personal Data from destruction, loss, alteration, misuse and unauthorized access, modification or disclosure, whether these actions are intentional or accidental. 

The purpose of these technical and organizational measures is to ensure the confidentiality, integrity, availability and resilience of the Website and the information systems on which the Filing Systems are stored. 

In order to provide the Data Subject with a secure Browsing experience, the Website is encrypted using SSL (Secure Socket Layer). 

Article 12.  Modification of the Privacy Policy

The Controller reserves the right to occasionally modify the present Privacy Policy. 

In the event that the present Privacy Policy is modified significantly, the Data Subject will be personally informed of the new Privacy Policy. 

All Data Subjects are invited to regularly consult the present Privacy Policy to familiarize themselves with any possible modifications. 

Data Subjects may send any questions they have on the present Privacy Policy to the DPO at the following address: reservation@hoteltarentaise.com

Article 13.  Invalidity of the Privacy Policy

Should any of the stipulations of the present Privacy Policy be found to be invalid in relation to a rule of law in force or a definitive legal decision, it shall be deemed unwritten, however the validity of the Privacy Policy as a whole and the remainder of its provisions shall not be affected.

In accordance with law no. 2020-901 of July 24, 2020 aimed at regulating telephone canvassing and combating fraudulent calls, any professional reserves the right to canvass a consumer registered on the telephone canvassing opposition list when the canvassing takes place as part of the performance of a current contract and is related to the subject of the said contract, including when it involves offering the consumer products or services related to or complementary to the subject of the current contract or of a nature to improve its performance or quality.