In France, Personal Data Protection is regulated by the General Data Protection Regulation of 27th April 2016 (better known under the name RGPD) and by the IT and Freedom Act of 6th January 1978 (amended).
The Casino, Guichard-Perrachon Company (hereafter “we”), is a public limited company with a Board of Directors, a share capital of 165,892,131.90€, registered in the Saint-Etienne Trade and Companies under number 554 501 171, with its headquarters located 1 Cours Antoine Guichard – 42000 Saint-Etienne.
As we are in charge of dealing with all data, we are very mindful of Data protection for all our customers and potential customers (hereafter “you”), whose data we may handle for business purposes. This is the reason why we are committed to respecting the essential principles applicable to Personal Data Protection.
For this reason, we wish to share in this policy the way we collect, handle and use your personal data (hereafter your « Data ») to bring you, on a daily basis, new services while respecting your rights.
1/ What data do we collect?
As part of the contact form and registering for the shareholders’ newsletter, we are likely to collect data such as: your name, first name, email address and mobile or house phone number. If strictly necessary for providing our services, this information is marked with an asterisk on the form or contact sheet.
When you browse our internet sites, we also collect data such as identification, connexion or tracking data.
We also collect your data when you give it to us directly. Your data can also be communicated to us indirectly via our partners.
2/ On what occasion do we collect data?
Your data can be collected and handled in the following circumstances.
Your data can be handled when you :
- contact us using the contact form;
- contact us as part of shareholders’ relations management
- join our newsletter ;
- interact with us on social networks for example.
For this data handling, we rely on your consent. If you wish to withdraw consent or refuse any data handling, please read the below section on “How to exercise your rights?”
Your data can also be handled when:
- we carry out statistical surveys;
- we have to defend your interests (fraud prevention and handling, disputes) ;
- we work towards improving our services ;
- data handling is in our legitimate interest.
Finally, your data can be handled when you exercise your rights about this data or to enable us to fulfil our legal obligations.
3/ Who are the recipients for your data?
We make sure only authorized people who are bound by a confidentiality obligation may access your data.
Therefore, recipients may be authorized personnel, within certain branches of Casino Group, services in charge of handling customer relations and potential future customers, services in charge of handling shareholders’ relations, IT services for handling and following-up on your status and requests.
As regards handling and following-up on your status and requests, your data can be passed on to certain providers specialised in payment and transaction services (ex : banks, payment service providers), dispute management and IT support.
Operations with a provider receiving your data may be subject to a contract in order to ensure Data protection and that your rights are respected.
No data handling by any partner may lead to a transfer outside the EU if the transfer country is not recognised as having an appropriate level of protection or if appropriate guarantees aren’t put in place. These guarantees can be for example a transfer agreement based on typical contractual clauses adopted by the European Commission and/or any other scheme approved by monitoring entities.
We may have to give over your data if requested by public authorities, especially to fulfil requirements in terms of national security, the fight against fraud or law enforcement. If this is the case, we cannot be held responsible for the conditions in which relevant staff of said authorities handle your data.
4/ How long is your data kept for?
Retention periods for your data comply with the following legal obligations:
|Categories of personal data
|3 years after the latest contact attempt
|Shareholder’s relations Data
|3 years after selling all shares
At the end of the indicated periods, we may archive your data, particularly to fulfil limitation periods for legal action. Afterwards, your data may be either deleted or made anonymous, with the clarification that these operations are irreversible and that we may not be able to restore the data afterwards.
5/ Our commitments towards safety and confidentiality
Preserving the confidentiality and the safety of your data is our priority.
We aim at implementing logistical and technical measures in accordance with the sensibility level of your data to protect it against any malicious intrusion, loss, alteration or disclosure to non-authorised third parties.
Implementing such measures may warrant the assistance of any third party of your choice to potentially put in place vulnerability audits or intrusion tests. These measure are reassessed and updated if necessary.
When designing, developing, selecting and using our services, we take into consideration the principles of personal data protection from the beginning. For example, we can implement pseudonymisation or anonymisation of your data whenever possible or necessary.
With constant concern for safety and protection, we encourage you to act with caution to prevent any non-authorised access to your data and protect your devices (computer, smartphone, tablet) against any unwanted or even malicious access.
We suggest you choose a password which:
Is “complex” : containing many characters of many different types (lower letters, capitals, numbers, special characters) ; “doesn’t say anything about you” : nobody must be able to guess your password from your preferences or habits ; “unique” : to avoid recurrent hacking, each of your online accounts must be protected by a unique password.
6/ How to exercise your rights?
In order to enable you to control the use of your data, you are allowed to:
- be informed on the use we make of your data. The present document deals with this matter;
- obtain confirmation that your data is being handled and if it’s not the case, you can request a written confirmation although we may charge for an extra copy of this document ;
- obtain data correction if your data is incorrect, obsolete or incomplete ;
- to refuse for your data to be handled for reasons regarding a specific situation or when data handling is based on our legitimate interest or your consent.
- to ask for limited handling of your data. This right is only applicable under certain conditions (dispute over the accuracy of your data, doubt on the legality of the handling, the exercising of your legal rights).
- to exercise your right to the portability of your data. This right is only applicable under certain cumulative conditions (if you have given us your data yourself over our online service and for purposes relying solely on the consent of people or the execution of a contract).
- to ask for your data to be deleted. This right is only applicable under certain conditions (withdrawal of the consent on which the data handling is based, if your data isn’t necessary anymore in terms of the initial handling purposes, if you are opposed to your data being handled, if there is a doubt on the legality of the handling).
- to give specific and general guidelines on how your data may be kept and handled post-mortem. If there are no guidelines in place, your heirs may make a request on the matter.
More generally, to exercise your rights, you can send your request:
- By email : email@example.com
- By post : Casino Group – Group Communication Department
Request to exercise your rights
1 cours Antoine Guichard – BP 306 – 42008 Saint Etienne Cedex 2
A proof may be requested if there is a doubt on the identity of the claimant.
We provide elements to answer your requests within the best possible timeframe and in accordance with your legal obligations. Moreover, you have the right to put in a claim by contacting the relevant monitoring entity in France, called the Cnil.
7/ Contact details
You can contact your Personal Data protection officer (DPO) at the following address: firstname.lastname@example.org
The current policy may be updated as and when needed.
August 2019 Version