1.1. Data Controller
The following information is provided to you so that you are aware of the personal data protection commitments of La Maison du Chocolat, a simplified joint-stock company, whose registered office is at 65 avenue de Ségur - 75007 Paris, which acts as as data controller for the processing of personal data mentioned in this document.
1.2. Our person in charge of the Information Technology and Civil Liberties Policy
La Maison du Chocolat has appointed a person in charge of the information technology and civil liberties policy who you can reach by email at the following address:
A part of the processing of personal data, La Maison du Chocolat collects and processes the following data:
- Title, surname, first name, date of birth when it has been entered, billing address, delivery address, email address, telephone number;
- Customer number, loyalty card number;
- Statistics regarding the opening and clicking on emails sent by La Maison du Chocolat and activity on the site (pages viewed, products seen, abandoned baskets, etc.).
3.1. The purposes of our processing
The processing we implement is for the following purposes:
- Management of the content of the website;
- Management of orders;
- Management of communication to customers and prospects;
- Tracking the customer journey;
- Monitoring customer relations (including satisfaction surveys) and customer claims;
- Traffic analysis;
- Customer categorisation;
- Advertising retargeting of our audiences
3.2. The legal bases of our processing
We only implement data processing if at least one of the following conditions is met:
- Your consent to the processing operations has been obtained;
- The existence of our legitimate interest, or that of a third party, which justifies our implementation of the processing of personal data concerned;
- The performance of a contract between us requires that we implement the processing of personal data concerned;
- We are bound by legal and regulatory obligations that require the implementation of the processing of personal data concerned.
3.3. The legitimate interests pursued
The legitimate interests pursued by La Maison du Chocolat may include, in particular, allowing the continuity of its business, improving the consumer experience, retaining the consumer, understanding consumers’ expectations.
The personal data that we collect, as well as that collected later, is intended for us as data controller.
We make sure that only authorised people can access this data. Our service providers may be recipients of this data to perform the services we entrust to them. Some personal data may be sent to third parties or to legally authorised authorities to meet our legal, regulatory or contractual obligations.
Your personal data may be reconciled, pooled or shared between all parent and sister entities and subsidiaries of La Maison du Chocolat.
It may be communicated to these entities for the purposes referred to in this information notice. These operations are carried out using instruments which comply with the applicable regulations and which ensure the protection and respect of your rights.
In our network of shops but also for technical purposes with our IT service providers, we transfer your personal data to partners located in the following countries: United States, Japan, Hong Kong, Canada, Spain, Portugal, Tunisia.
Each of these transfers is governed by legal instruments that comply with the applicable legal framework. Indeed, the countries listed benefit from a decision of adequacy, which means that they offer your personal data a degree of protection equivalent to that which is current on the territory of the European Union. Transfers to other countries are covered by the appropriate safeguard measures.
The retention periods we apply to your personal data are proportionate to the purposes for which they were collected. As a result, we organise our data retention policy as follows:
- Four years from the collection of your data or the last contact from you;
- In the context of concluded contracts, data is kept according to the applicable limitation periods;
- Thirteen months regarding cookies from their installation on your device;
- Ten years from the conclusion of the contract for an amount greater than € 120 for accounting purposes;
- One year from receipt of the request for rights of access, rectification, erasure, limitation;
- Six years from receipt of the request for the right to object.
- Six months maximum for data collected through a conversation from the chat
- Regarding a request made through the contact form, the data is kept for the time it takes to process the said request, plus the statutory limitation period.
- Regarding the creation of a customer profile on the website of La Maison du Chocolat, the data is kept for three years from the last contact from you, or failing that, the date of creation of the customer profile
- Concerning the subscription to a newsletter, until the withdrawal of its consent or failing this three years, from the last contact from you
7.1. Terms of exercise of your rights
You can exercise your rights electronically at the following address: La Maison du Chocolat, Service clients, 41 rue Paul Lescop, 92000 Nanterre, or by email to the following address: email@example.com
To do this, you must clearly indicate your surname(s) and first name(s), the address to which you want the answer to be sent to you and attach proof of your identity.
As a matter of principle, you can exercise all of your rights at no cost.
Regarding the right of information, La Maison du Chocolat will not be obliged to respond when you already have the information you request.
La Maison du Chocolat will inform you if it cannot respond to your requests.
These rights are not absolute and are subject to different conditions under:
- The applicable French law regarding the protection of personal data and privacy;
- The laws and regulations that apply to you.
La Maison du Chocolat wishes to inform you that the non-entry or modification of your data may have consequences on the processing of certain requests within the framework of the execution of contractual relations and that your request to exercise your rights will be kept for tracking purposes.
All the rights you enjoy are detailed below.
7.2. Your right to information
You acknowledge that this information notice informs you of the purposes, the legal framework, the interests, the recipients or categories of recipients with whom your personal data are shared, and the possibility of a transfer of data to a third country or to an international organisation.
In addition to this information and in order to ensure a fair and transparent treatment of your data, you declare to have received additional information regarding:
- The retention period of your personal data;
- The existence of your rights and the terms of their exercise.
If we decide to process data for purposes other than those indicated, all information relating to these new purposes will be communicated to you.
7.3. Your right of access and rectification of your data
You have the right to access and have your personal data rectified, which you can exercise by contacting La Maison du Chocolat at the following address: La Maison du Chocolat, 41 rue Paul Lescop, 92 000 Nanterre or by email to firstname.lastname@example.org
As such, you have the confirmation that your personal data is or is not processed and when it is, you have access to your data as well as information about:
- The purposes of the processing;
- The categories of personal data concerned;
- The recipients or categories of recipients as well as the international organisations to which personal data has been or will be communicated, in particular recipients who are established in third countries;
- When possible, the intended personal data retention period or, when this is not possible, the criteria used to determine this period;
- the existence of the right to request the data controller to rectify or erase personal data, or a limitation of the processing of your personal data, or the right to oppose such processing;
- The right to lodge a claim with a supervisory authority;
- Information about the source of the data when it is not collected directly from the data subjects;
- The existence of automated decision making, including profiling, and, in this last case, useful information about the underlying logic, as well as the significance and intended consequences of that processing for the data subjects;
You may ask that your personal data be, as the case may be, rectified, completed if it is inaccurate, incomplete, equivocal or out of date.
7.4. Your right to erase your data
You can ask us for the erasure of your personal data when one of the following reasons applies:
- the personal data is no longer necessary for the purpose for which it was collected or otherwise processed;
- you withdraw the consent previously given;
- You object to the processing of your personal data when there is no legal reason for said processing;
- The processing of personal data does not comply with the provisions of the applicable legislation and regulations;
- Your personal data has been collected in relation to the offer of information society services to children under the age of 16.
However, the exercise of this right will not be possible when the retention of your personal data is necessary under the laws or regulations and in particular for the recognition, exercise or defence of rights in court.
7.5. Your right to limit data processing
You may request the limitation of the processing of your personal data in the cases provided for by the laws and regulations.
7.6. Your right to object to data processing
You have the right to object to the processing of your personal data when the processing is based on the legitimate interest of the controller.
This right can be exercised by any means including by clicking on the unsubscribe links at the bottom of the communications sent.
7.7. Your right to portability of your data
Since May 25, 2018, you will have the right to the portability of your personal data.
The data on which this right may be exercised is:
- Only your personal data, which excludes anonymized personal data or data that does not concern you;
- The declarative personal data as well as the personal operating data mentioned previously;
- Personal data that does not affect the rights and freedoms of third parties such as that protected by business secrecy.
This right is limited to processing based on consent or a contract and personal data that you have personally generated.
This right does not include derived data or inferred data, which is personal data created by La Maison du Chocolat.
7.8. Your right to withdraw your consent
When the data processing we implement is based on your consent, you may withdraw it at any time. We will stop processing your personal data without the prior operations which you consented to being called into question.
7.9. Your right to appeal
You have the right to lodge a complaint with the CNIL on the French territory without prejudice to any other administrative or jurisdictional appeal.
7.10. Your right to define post-mortem directives
In accordance with Article 63 of Law No. 2016-1321 of October 7, 2016 for a Digital Republic, you have the possibility to define guidelines for the storage, erasure and communication of your personal data after your death with a trusted third party, certified and responsible for enforcing the will of the deceased, in accordance with the requirements of the applicable legal framework.
We attach great importance to the protection, integrity and confidentiality of your data. Consequently, we have implemented technical and organizational measures to guarantee a level of security adapted to the risk and thus protect your data against any loss, alteration, access or disclosure to unauthorized third parties.
However, despite our efforts, no security measure can protect against all the risks of misappropriation or piracy, for which we as data controller cannot be held responsible.
We undertake in the event of a personal data breach and in accordance with the regulations in force relating to the protection of personal data, to notify them to the CNIL. In the event that a data breach would present a high risk to your rights and freedoms, we will inform you as soon as possible and always under the conditions provided for by the regulations in force relating to the protection of personal data.
9.1. Identity of the data controllers
La Maison du Chocolat, Facebook and Linkedin have initiated the Master Tag project. This project is based on the implementation of personal data processing.
This processing requires the joint intervention of La Maison du Chocolat, Facebook and Linkedin and implies cooperation in the processing of personal data, a sharing of purposes and means in a common set of operations.
9.2 Purpose and means of processing
The purpose of this processing is mainly based on commercial prospecting.
The duration of this processing depends on the duration of the contract between the parties.
9.3 Personal data processed
-browsing behaviour data
-purchase or action data.
9.4 Individual rights
Data subjects may contact the data controllers in order to exercise their right of access, right of query, right of rectification, right to erasure, right to limit processing, right to portability and right to object.
La Maison du Chocolat, Facebook and Linkedin are required to ensure a level of security appropriate to the risk relating to the processing that is the subject of this contract, depending on the nature of the processing and the type of data processed.
To this end, and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, varying in probability and severity, to the rights and freedoms of natural persons, the joint data controllers must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including among others:
- pseudonymisation and encryption of personal data ;
- means to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- means to restore the availability of and access to personal data within an appropriate timeframe in the event of a physical or technical incident;
- a procedure for regularly testing, analysing and evaluating the effectiveness of technical and organisational measures to ensure the security of processing.