Privacy Policy
The Ritz Group may process the personal data (the "Personal Data") of Prospects, Visitors and Customers (as defined below) when they visit the website www.ritzparis.com (the “Website”) in order to:
- manage your reservation or your stay at the Hotel Ritz Paris;
- manage your purchases on the e-shop section of the Website, which can be accessed at www.ritzparis.com/e-boutique (the "E-Shop");
- send out our newsletter.
Your Personal Data must be protected with the greatest care. The confidentiality and security of this information is our highest priority.
The Ritz Group therefore considers compliance with applicable data protection regulations to be of the utmost importance:
- the General Data Protection Regulation (EU) No 2016/679 of 27 April 2016 ("GDPR")
- for France, the amended Data Protection Act (Loi Informatique et Libertés) of 6 January 1978 ("LIL")
The purpose of this personal data protection policy (the "Privacy Policy") is to inform Visitors to the Website, Prospects and Customers of the Ritz Group about the processing of their Personal Data in accordance with Articles 12 et seq. GDPR.
The Privacy Policy is intended to apply solely to the processing of data likely to directly or indirectly identify Website Visitors, Prospects and Customers or make them identifiable.
For the purposes of the Privacy Policy, the "Ritz Group" means any company wholly or partly owned, directly or indirectly controlled or jointly controlled by RH Paris 1 S.à.r.l, a company incorporated under the laws of the Grand Duchy of Luxembourg, with registered office at 42 rue de la Vallée, L-2661, Luxembourg, registered in the Luxembourg Trade and Companies Register under number B136967, and in particular:
- The Ritz Hotel, Limited, the operating company of the Ritz Paris Hotel ("Ritz Paris");
- Ritz Enterprise SA, the company responsible for developing the brand ("RESA").
To find out more about the data processed in relation to a reservation or stay at the Ritz Paris, please consult the dedicated Privacy Policy in the section "You are a customer of the Ritz Paris Hotel" (the "Ritz Paris Privacy Policy").
To find out more about the data processed in relation to the E-Shop, please consult the dedicated Privacy Policy in the "You are a customer of the E-Shop" section (the "E-Shop Privacy Policy").
1. Collection of data
The terms "Ritz Group", "we", "us" and "our" refer to, on the one hand, any company held, fully or partially, directly or indirectly, or under common control by RH PARIS 1 Sàrl and on the other hand, THE RITZ HOTEL, LIMITED and RH PARIS 1 S.à.r.l. as the data controllers of your personal data, unless otherwise specified in this Privacy Policy.
THE RITZ HOTEL, LIMITED is a company organised and existing under the laws of England and Wales, with a share capital of £2,000,000, registered at Companies House under number 00048125 and at the Paris Trade and Companies Register under number 572 219 913 00017, with its registered office at Third Floor, 20 Old Bailey, London EC4M 7AN, United Kingdom, and its principal place of business at 15, Place Vendôme, 75001 Paris, France (hereinafter referred to as "RITZ PARIS").
RH PARIS 1 S.à.r.l. is a company incorporated under the laws of the Grand Duchy of Luxembourg, registered with the Luxembourg Trade and Companies Register under number B136967, with its registered office at 42, rue de la Vallée, L-2661, Luxembourg.
RH PARIS 1 S.à.r.l. is the parent company of the Ritz Group and RITZ PARIS is a subsidiary of RH PARIS 1 S.à.r.l.
The Ritz Group is defined as any entity that is wholly or partially held, controlled, directly or indirectly or under common control by RH PARIS 1 Sàrl.
We may collect personal data directly from you (e.g. when you purchase a product or service, when providing your information on "contact", "newsletter", "booking", etc.) or indirectly (e.g. from your electronic devices that interact with our website (the “Site”), electronic forms) (hereinafter referred to as the "Digital Platforms").
Personal dataare hereby defined as “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
When you voluntarily provide your personal data, you undertake to provide information that is accurate and does not harm the interests or rights of third parties.
2. Data Collected
a. Data which you provide directly to us
You may provide us with data:
- when you create an account online or at our shops;
- when you subscribe to our newsletter;
- when you use our Digital Platforms;
- when you purchase products or services on our Digital Platforms or at our points of sale;
- when you visit our points of sale;
- when you attend one of our events;
- when you make an external telephone call or from your room’s telephone to our switchboard, the said calls may be recorded.
The personal data collected is:
- your identity (including your first name, surname, gender, image, nationality);
- your contact details (including postal address, e-mail, telephone numbers);
- your personal status (including your title);
- your purchases (including purchase history, order details);
- your preferences (dietary, etc.);
- images (including CCTV images, publicly available photographs and images captured at events or during your stay) ;
- certain payment details (including billing details, type or method of payment);
- other information you may provide by filling in forms or contacting us (including your comments or other communications to us which may include health data relating to any adverse effects of our services and products);
- sensitive data pursuant to legislation in force or where disclosed and relevant to the provisions of services and products (e.g. passport, health data, you voice, your underage children’s information such as name, date of birth etc.).
We collect and use your personal data on one or more of the following legal bases:
- we have obtained your prior consent (for example when you subscribe to our newsletter). Please note that with this particular legal basis, you have the right to revoke your consent at any time (see section below “Your rights concerning your personal data collected”);
- the processing is necessary for the purposes of a contract between RITZ PARIS and yourself (for example when you make a purchase of a product or service);
- we have a legitimate interest in carrying out the processing and that legitimate interest is not overridden by your interests, fundamental rights or freedoms (e.g. the prevention of payment fraud);
- we need to process your personal data in order to comply with applicable laws and regulations.
Depending on the context, we may use your personal data to:
- provide you with the products or services you have requested;
- carry out checks to identify you and verify your identity;
- send you marketing and promotional information, based on your preferences, with your prior consent (see the section "Marketing Communications" below);
- provide you with after-sales service and manage refunds;
- manage your claims for refunds;
- respond to your questions, suggestions and requests, including requests to exercise your rights;
- manage complaints and disputes;
- manage the events you have registered for and/or participated in;
- detect, prevent and combat fraudulent or illegal activity, including protecting your transactions from payment fraud;
- protect you, employees and others in our points of sale and our premises;
- monitor and improve our Digital Platforms;
- perform anonymous statistical analysis, including to tailor our product and service offerings (including the use of nationality anonymously);
- improve our products and services;
- to comply with our legal obligations, which includes providing information to regulatory bodies where required by law, in particular to comply with our legal obligations to prevent and combat fraud, money laundering and terrorist financing.
4. Use and transmission of data
a. Data storage time
Your personal data are processed for the period necessary for the purposes for which it they have been collected, to comply with legal and regulatory obligations and for the duration of any period necessary for the establishment, exercise or defence of legal rights.
In order to determine the most appropriate retention periods for your personal data, we have specifically considered the amount, nature and sensitivity of your personal data, the purposes for which we have collected your personal data, the service you deserve and expect from us together with the applicable legal requirements. For example: - Our prospects (potential customers): Your personal data is retained for three (3) years from your last interaction and then deleted or archived to comply with legal retention requirements;
- Our customers: Your data is kept for the duration of our business relationship and up to ten (10) years, then deleted or archived in order to comply with legal retention obligations;
- Cookies used on Digital Platforms: Cookies are kept for a maximum of thirteen (13) months from the time they are installed on your device.
b. Recipients of your personal data
We may only disclose your personal data to the parties named below and for the following purposes:
- To employees of RITZ PARIS who need to have access to your personal data and who are authorised to process it for the above-mentioned purposes and who undertake to respect its confidentiality;
- To the departments of the Ritz Group companies responsible for customer relations, retail, e-commerce, communications, legal, finance, internal audit, IT management and security for the purposes set out in this Privacy Policy and to provide you with a consistent level of service across all companies. This may include providing you with the services and products you have requested, improving the services and products provided and, with your consent, sending you marketing communications about offers, services, products or events of the RITZ PARIS or its sister companies (for this purpose, you may revoke your consent at any time and exercise your rights in relation to your personal data, as described below).
- To third parties acting on behalf of RITZ PARIS or the Ritz Group, upon our prior instructions set out in a binding contract that complies with the requirements of applicable law. Such disclosures are made for a variety of purposes, including:
- IT development and support;
- Hosting and conducting marketing and economic research and marketing campaigns;
- Verification of your information, authentication of payments and processing of orders and payments to third parties who provide credit reporting, payment or order fulfilment services;
- Delivery services.
- To authorities and/or competent bodies or third parties, as required by law or as part of legal proceedings or other legal requests.
c. Recipients outside the European Union
Your personal data may be processed outside the European Union, including via remote access. We undertake not to make any transfer of such data outside the European Union without implementing appropriate safeguards in accordance with the applicable regulations.
5. Protection of your personal data: security and confidentiality
All your personal data is strictly confidential and will only be accessed on a need-to-know basis by RITZ PARIS staff and other duly authorised entities as well as independent service providers acting on our behalf under appropriate technical and organisational security measures.
We have implemented organisational, technical, software and physical digital security measures to protect your personal data against alteration, destruction and unauthorised access.
However, it should be noted that the Internet is not a completely secure environment, and the Digital Platforms cannot guarantee the security of the transmission or storage of information over the Internet.
We follow appropriate security procedures in the storage and disclosure of your personal data so as to prevent unauthorised access by third parties and to prevent accidental loss of your data. We limit access to your personal data to those who have a genuine business need to access it. Those who access your data will be subject to a duty of confidentiality towards RITZ PARIS.
We also have procedures in place to deal with any suspected data breach. We will notify you and any relevant supervisory authority of a suspected data security breach where we are legally required to do so.
We also require those to whom we transfer your personal data to comply with the above. However, unfortunately, the transmission of information via the Internet is not completely secure. We therefore cannot guarantee the security of your personal data transmitted by you to us via the Internet. Any such transmission is at your own risk and you acknowledge and agree that we will not be liable for any unauthorised use, distribution, damage or destruction of your data, except to the extent that we are required to accept such responsibility under the law. Once we have received your personal data, we will apply the security measures mentioned above.
6. Your rights concerning your personal data collected
In accordance with the data protection legislation in force, you may at any time request access to, rectification, deletion, portability, or restriction of the processing of your personal data or object to it. A summary of these rights is set out below:
- your right to request access to your personal data (request to receive a copy of your personal data);
- your right to rectification (to request rectification of any errors in your data or to have them completed);
- your right to be forgotten (to request the deletion of your personal data, in certain situations);
- Your right to restriction of processing (to request restriction of processing of your personal data, in certain circumstances, for example if you dispute the accuracy of the data);
- Your right to data portability (requesting to receive the personal data you have provided to us in a structured, commonly used and machine-readable format and/or to transmit this data to a third party, in certain situations);
- Your right to object to the processing :
- at any time to your personal data for direct marketing purposes;
- in certain other situations, to our continued processing of your personal information, e.g. processing carried out for the purpose of our legitimate interests.
Where the processing of your personal data is based on your consent, you may decide at any time to withdraw it. If your consent is withdrawn, this will not affect the processing of your personal data based on other legal bases, such as fulfilling your orders and storing your order data as required by applicable law.
If you no longer wish to receive our marketing/promotional information, we remind you that you may withdraw your consent to direct marketing at any time directly from the unsubscribe link included in each electronic promotional message we send to you. If you do so, we will promptly update our databases, and will take all reasonable steps to meet your request at the earliest possible opportunity, but we may continue to contact you to the extent necessary for the purposes of any products or services you have requested.
You may exercise your rights by contacting RITZ PARIS:
- by email at the following address: [email protected]
or
- by post at the following address: Data Protection Officer, Ritz Paris, 15 Place Vendôme, Paris 75001, France.
You also have the right to lodge a complaint with a personal data protection supervisory authority in the event of an alleged breach of the data protection rules applicable to you. The French authority is the CNIL (Commission Nationale de l'Informatique et des Libertés).
Please note that if you exercise any of the rights mentioned above, you will be asked to inform us of which right you wish to exercise and to provide us with certain information (copy of an identity card, passport or other legally recognised identification document) for identification purposes in order to process your request and to protect you against fraudulent requests from third parties.
You have the right to lodge a complaint with a local Data protection authority in case of alleged infringement of the data protection rules applicable to you. The French Data protection authority is the CNIL (Commission Nationale de l’Informatique et des Libertés).
Please note that upon exercising any of the rights listed above, you will be requested to let us know what right you want to exercise and provide information (copy of an identity card, passport or other legally recognized identity) for identification purposes in order to process your request and protect you against fraudulent requests from third parties.
7. Cookies
In accordance with your cookie settings, you agree to the Site storing information with regard to your browsing, in order to ensure in particular the correct functioning of the Site, produce traffic statistics and optimise the conditions of use of the Site and the services which are offered on it.
What is a cookie?
A cookie is a small text file stored on your hard disk. It contains a few data concerning your connection, particularly the name of the server which wrote it, in most cases an identifier in the form of a unique number and possibly an expiry date. This identifier can enable the Site to recognise your computer, your browser, your mobile or your tablet on each visit. Cookies are managed by your web browser.
What types of cookies do we use?
Strictly Necessary Cookies
These cookies are necessary for the website to function and cannot be switched off in our systems. They help improve and customise the optimal functioning of our website, in particular by safeguarding the preferences you have set during your browsing. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. The information collected through these cookies are anonymous and do not allow us to identify the user. You can set your browser to block or alert you about these cookies but some parts of the website may not work.
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
For more information, you may find the cookies detailed below “Cookies Settings”
How can you oppose the use of the cookies?
If you wish to change your cookies’ options, simply go to your browser’s help menuto find out how to change these options.
For Internet Explorer™: here.
For Safari™: here.
For Firefox™: here.
For Chrome™: here.
Depending on your settings, your browsing will be modified and access to our services will be restricted to varying degrees. In particular, deactivating certain cookies will impair your visit to our Site or make it impossible.
If your computer is used by more than one person or has multiple internet browsers, it is possible that some of your choices relating to cookies may not be permanent because you are either using a different browser or a third party has changed the settings of your browser. We are unable to prevent these external factors and therefore cannot guarantee the permanence of the choices you make.
8. Specific information concerning minors under the age of 16
We remind you that we do not collect, directly or indirectly, personal data from persons under the age of 16, without prejudice to any local law setting a different minimum age. We therefore ask you not to provide us with personal data of persons who do not meet this criterion, except where the processing is necessary for the purposes of a contract.
9. Updating of the Privacy Policy
We may change and update this Privacy Policy from time to time. When we post changes to this Privacy Policy, we will amend the "Update Date" at the bottom of this Privacy Policy to indicate when such changes come into effect. We encourage you to visit our Privacy Policy regularly.
If we wish to use your personal data in a manner different from that stated in the Privacy Policy in effect at the time of collection or if we change this Privacy Policy in a material way, such changes will be prominently notified on the Site by way of a change notice at the beginning of this Privacy Policy and on the home page of the Site.
Update Date: 1st October 2023
1. Scope and Field of Application
RESA takes the necessary measures to ensure that the Personal Data it holds or processes is protected and kept confidential in accordance with the provisions of the GDPR and applicable national legislation.
As part of the E-Shop, RESA collects, records, consults, modifies, accesses and/or erases the Personal Data of Prospects, Visitors, Customers and former Customers who are interested in or have purchased the products available on the E-Shop, in particular for the purposes of managing, preparing and invoicing orders.
The purpose of the E-Shop Privacy Policy is to outline the processing of Personal Data undertaken on this occasion, and in particular the origin of the data, the purpose for the processing, the data collected, how long these data are retained, the use of subcontractors and partners, the case of transfers outside the European Union, how to exercise your rights and, where applicable, how to lodge a complaint.
RESA undertakes to limit the processing of Personal Data to the cases listed in the E-Shop Privacy Policy, or to update this to ensure Personal Data are protected to a high level in compliance with the applicable regulations. In particular, in the case of new offerings involving the processing of Personal Data, RESA will provide you with information on how we collect and process your Personal Data, in the Terms and Conditions of Sale available on our Website as well as in this E-Shop Privacy Policy.
The E-Shop Privacy Policy does not apply to the processing of data related to a reservation or future stay at the Ritz Paris, which is covered by the Ritz Paris Privacy Policy.
2. Definitions
- Customer: any person who has purchased a service and/or product from RESA;
- Prospect: any person who is interested in RESA's products and who provides RESA with their contact details in order to receive our offers and news;
- Data Controller: the natural person or legal entity who has determined the methods, means and purposes of processing Personal Data. Unless otherwise stipulated, the Data Controller responsible for ensuring compliance with this Policy is Ritz Enterprise S.A., a public limited company incorporated under Swiss law, with registered office at rue du Rhône 42, 1204 Geneva, Switzerland, registered in the Commercial Register of the Canton of Geneva under number CHE-100.374.228;
- Joint Data Controllers: the natural persons or legal entities who jointly determine the purposes and means of processing Personal Data;
- Sub-processor: refers to the natural person or legal entity, public authority, department or other body that processes Personal Data on behalf of the Controller;
- Processing: Any operation or set of operations, whether or not these are carried out using automated processes, applied to Personal Data, or a set of Personal Data. Operations may involve collecting, recording, storing, structuring, adapting or modifying, communicating, distributing, limiting, destroying, etc.;
- Personal Data Breach: any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or processed in any other way;
- Visitor: any person who is potentially interested in RESA's products and who accepts cookies on the Website.
3. Responsibility for Personal Data processing
When you browse the E-Shop and place an order, RESA acts as the Data Controller for your Personal Data.
When you browse our Website and decide to make a reservation at the Ritz Paris hotel or purchase a product from the E-Shop, RESA processes your data together with the Ritz Paris in order to offer you a comprehensive service.
4. Processing of Personal Data
When browsing the E-Shop, you may be asked to provide us with Personal Data, either directly or indirectly, or through the use of the Website.
We collect your Personal Data as follows:
- the Personal Data you provide, for example when creating a customer account, placing an order, contacting us or subscribing to our newsletter;
- through your use of our Website, when we deposit cookies and other trackers on your device, subject to your consent.
a. Clarification of lawful bases
The processing carried out by RESA serves an explicit, legitimate and specific purpose, which is subject to your consent, the performance of the sales contract, compliance with a legal or regulatory obligation, or legitimate interest.
b. Details of the objectives pursued
RESA collects your Personal Data for the purposes listed below:
- Ordering products (fulfilment of purchase contract)
- Payment for your order;
- Preparing your order;
- Managing your order (tracking, shipping and returns);
- Creating and managing an online account on our Website
- Customer service
- Respond to your requests for information, comments and, more generally, any questions you may have via our contact form;
- Handling a complaint;
- Marketing activities and in particular sending regular information on product offers relating to e-commerce, and on offers of other services proposed by the Ritz Group;
- Legal grounds
- Comply with the legal obligations to which we are subject;
- Anticipating and resolving disputes;
- Maintaining the Website in operational condition to ensure that it functions properly and is secure, as well as hosting and administering the Website;
- Improving the service: improving the functionality and quality of your browsing on our Website by carrying out tests, research and analyses;
- Personalisation: offering you content that is relevant, tailored and personalised to your interests and your geographical location.
c. Details of the data processed in this context
When you browse the Website or place an order, we collect:
- identity data (e.g. title, surname, first name);
- login data (username, password, IP address);
- records of actions undertaken when you log in to your customer account or when you confirm your shopping basket;
- contact details (e.g. telephone number, email address, postal address);
- your encrypted payment data, and more specifically your credit card number (for transaction purposes). To find out more about the processing of your payment data, please consult the policy of Worldline, our payment data provider (chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://support.worldline.com/content/dam/support-worldline/local/fr-be/documents/terms-and-conditions/privacy-notice-worldline-fr-2023.pdf) .
This may also include additional information that you wish to provide us with when sending a message via the "Contact us" page or when sending a personalised message.
The collection of sensitive data subject to your consent is exceptional and at your initiative
As a matter of principle, RESA does not collect sensitive information such as details of racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health details, sexual history or sexual orientation.
However, if you believe that these data are required in order to process your order, RESA will only collect these data with your express prior consent.
In this case, and only for the purpose of satisfying your requirements, we may need to collect sensitive data.
Mandatory and optional data collection
When we collect your Personal Data via a form, mandatory data are indicated by an asterisk or by any other equivalent procedure. Failure to provide these Personal Data will make it impossible for RESA to process your request.
Data not marked with an asterisk or equivalent symbol are optional. They enable RESA to understand you better and to improve our communication and services to you. You do not have to provide this information, as failure to do so will not prevent your request from being processed.
Minors’ data
As indicated in our Terms and Conditions of Sale, the E-Shop service is not intended for use by minors under the age of eighteen (18). Data collection is limited to cases where an order placed on the E-Shop is delivered to a person under the age of eighteen (18). In this case, the Personal Data collected will be limited to the user's title, first name, surname, postal address, telephone number and email address. These Personal Data may only be provided to us by a person of legal age.
Please ensure that your children do not send us any Personal Data without your permission. If such data is sent to us, you can contact our data protection team (article 12 "Contacting us") to request the data be erased.
d. Details on retention periods
All Personal Data collected are processed and stored for a limited period depending on how the data are used and the applicable legislation.
Specifically,
- we retain your data for a period of three (3) years from your last interaction with the E-Shop or from the end of your purchase contract with RESA, except for contracts concluded on the E-Shop in excess of one hundred and twenty (120) euros, which are archived for a period of ten (10) years from the conclusion of the contract, in accordance with Article L 134-2 of the French Consumer Code;
- When Visitors accept cookies on the Website, the IP addresses collected by cookies are stored for 13 months;
- When you subscribe to our newsletter or have expressed an interest in our products or services, we may contact you again after a period of three (3) years to determine whether you wish to continue to receive commercial communications. You may, of course, withdraw your consent at any time.
- In the event of a dispute or the risk of a dispute, we may keep any evidence relating to your orders placed on the E-Shop in order to exercise our rights and defend ourselves in court.
After the end of the retention periods, all Personal Data are permanently erased or anonymised.
In exceptional circumstances, certain Personal Data may be archived in order to manage ongoing claims and disputes, to meet our legal and/or regulatory obligations and/or to respond to requests from the authorities who are empowered to make such requests. These will be erased when the legal statute of limitations expires.
e. Details on the processing of banking data
Regarding data relating to your bank cards, financial transactions for the payment of purchases and charges through our Website are outsourced to an external payment service provider, which is responsible for their proper processing and security in compliance with the applicable regulations (PCI DSS, DSP2). For more information, please consult Worldline's privacy policy (chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://support.worldline.com/content/dam/support-worldline/local/fr-be/documents/terms-and-conditions/privacy-notice-worldline-fr-2023.pdf).
f. List of processing carried out by RESA as Data Controller
Orders
Purpose
Why are personal data processed?
To manage and fulfil orders
Data processed
What personal data are used?
Billing information: Title, surname, first name, postal address, email address, phone number
Delivery information: Title, surname, first name, postal address, email address, phone number
Lawful basis
On what lawful basis are personal data processed?
Consent
Retention period
How long are personal data stored?
Three (3) years from your last interaction with E-Boutique or from the end of your purchase contract with RESA, with the exception of contracts concluded through E-Boutique worth more than one hundred and twenty (120) euros, which are archived for a period of ten (10) years from the conclusion of the contract, in accordance with Article L 134-2 of the French Consumer Code (Code de la consommation).
Order payments
Purpose
Why are personal data processed?
To handle order payments
Data processed
What personal data are used?
Bank details
Lawful basis
On what lawful basis are personal data processed?
Consent
Retention period
How long are personal data stored?
Statutory period (see Worldline Privacy Policy)
Contact and complaints
Purpose
Why are personal data processed?
To request contact and to respond to a contact request
Data processed
What personal data are used?
Nature of request, title, name, email address, phone number, order number, comment (which may include sensitive data such as allergies), photographs
Lawful basis
On what lawful basis are personal data processed?
Consent
Retention period
How long are personal data stored?
The time required to process the request and up to five (5) years after processing to ensure that we have answered you definitively and efficiently
Claims management
Purpose
Why are personal data processed?
To manage claims
Data processed
What personal data are used?
Total customer file (email exchanges, orders, accounting documents, etc.)
Lawful basis
On what lawful basis are personal data processed?
Consent and legitimate interest
Retention period
How long are personal data stored?
The time required to process your complaint based on your consent. Up to ten (10) years after the complaint for the purposes of defending against it if applicable and improving our services in similar areas on the basis of our legitimate interest
Legal matters
Purpose
Why are personal data processed?
In some cases, we may use your data to process and resolve legal action and disputes, to comply with regulatory investigations or applicable legislation, to enforce the terms of service or to comply with legal requests from law enforcement authorities.
Data processed
What personal data are used?
All data necessary for this purpose, in particular identity data and order and payment details
Lawful basis
On what lawful basis are personal data processed?
Legitimate interest
Retention period
How long are personal data stored?
Five years from your order in the case of legal action and six (6) to ten (10) years for accounting documents that may be requested by law enforcement authorities
a. List of processing carried out jointly by RESA and other entities of the Ritz Group as joint Data Controllers
Digital activity:
Purpose
Why are personal data processed?
To perform website traffic and performance analytics and to target advertising at site visitors
Data processed
What personal data are used?
IP address of your computer / laptop, traces and user ID from cookies stored
Lawful basis
On what lawful basis are personal data processed?
Legitimate interest for strictly necessary cookies and consent for cookies other than strictly necessary (to learn more, click on the cookie banner in the site footer)
Retention period
How long is personal data stored?
Retention period of IP addresses collected by cookies: 13 months
Joint Controller: TRHL
Ritz Paris customer account:
Purpose
Why are personal data processed?
To create and manage a Ritz Paris customer account on our website
Data processed
What personal data are used?
Title, surname, first name, country, postal address, email address, phone number, purchases (history and details of orders placed on the website), interests, wishlist, newsletter preferences
Lawful basis
On what lawful basis are personal data processed?
Consent
Retention period
How long is personal data stored?
Three (3) years from your last interaction with E-Boutique or from the end of your purchase contract with RESA, with the exception of contracts concluded through E-Boutique worth more than one hundred and twenty (120) euros, which are archived for a period of ten (10) years from the conclusion of the contract, in accordance with Article L 134-2 of the French Consumer Code (Code de la consommation).
Joint Controller: TRHL
Managing a shared basket:
Purpose
Why are personal data processed?
To manage a shared basket
Data processed
What personal data are used?
Order history
Billing information: Title, surname, first name, postal address, email address, phone number
Delivery information:
Title, surname, first name, postal address, email address, phone number
Lawful basis
On what lawful basis are personal data processed?
Consent
Retention period
How long is personal data stored?
Three (3) years from your last interaction with E-Boutique or from the end of your purchase contract with RESA, with the exception of contracts concluded through E-Boutique worth more than one hundred and twenty (120) euros, which are archived for a period of ten (10) years from the conclusion of the contract, in accordance with Article L 134-2 of the French Consumer Code (Code de la consommation).
Joint Controller: TRHL
Promotion of Ritz Group offers and services:
Purpose
Why are personal data processed?
To send our newsletter about the offers and services of the Ritz Group
Data processed
What personal data are used?
Email address, last name, first name
Lawful basis
On what lawful basis are personal data processed?
Consent
Retention period
How long is personal data stored?
Retention period for active data: Three (3) years from last contact
Joint Controller: TRHL
b. Who are RESA’s subcontractors?
As part of its service, RESA may transmit your information to the subcontractors listed below.
Subcontractor category : Customer service
Context/purpose Customer service management
Data collected Last name, first name, order number and voice (on an ad-hoc basis)
Where the data are stored France
Data Controller RESA
Subcontractor category : Online/remote payment service
Context/purpose Remote payments
Data collected Last name, first name and credit card number
Where the data are stored France
Data Controller RESA
Subcontractor category : Delivery
Context/purpose Order delivery management
Data collected Title, surname, first name, address, phone number
Where the data are stored France
Data Controller RESA
Subcontractor category : Newsletter
Context/purpose Management and sending of the newsletter
Data collected Last name, first name, email address
Where the data are stored France
Data Controller RESA
Subcontractor category : Exercise of rights
Context/purpose Processing of requests for the exercise of rights
Data collected Any data provided by the person relating to the request and required to process it
Where the data are stored France
Data Controller RESA
Subcontractor category : Site back office
Context/purpose Management of the site back office
Data collected TBC
Where the data are stored TBC
Data Controller RESA
Subcontractor category : Site hosting
Context/purpose Management of the site hosting
Data collected TBC
Where the data are stored France
Data Controller RESA
1. Who your data is shared with
When browsing the Site, the Prospect, Visitor or Customer sends RESA certain personal data that are required to subscribe to the Ritz Group offers.
RESA is committed to protecting the Personal Data of Prospects and Visitors and to preventing them from being shared as much as possible. Personal Data are shared only when necessary to provide RESA’s services or when justified to help improve RESA’s service.
Certain Personal Data are shared with:
- RESA employees: The Personal Data of Prospects, Visitors and Customers may be processed by RESA employees, within the confines of their respective roles and exclusively to fulfill the purposes of the E-Boutique Privacy Policy;
- RESA subcontractors: RESA may use the services of subcontractors, including other entities of the Ritz Group, to assist it in the provision of its services.
- Invisible service providers: RESA uses the services of technical providers who may operate the technical infrastructure we need to maintain the Site, including providers who host, store, manage and maintain the Site, its content and the data we process;
- Auditors, regulators and any administrative or judicial authority in the context of a request based on legal, regulatory or accounting requirements or to assert RESA’s rights in court.
2. Transferring data outside the European Union
The Ritz Group stores all of their data within the European Union and does not transfer Personal Data outside the European Union. Ritz Group servers are managed by Microsoft (Azure), located in the Microsoft France Central (France) data centre.
However, RESA may use service providers (subcontractors and invisible service providers) whose principal place of business is located outside the European Union. This may include third countries for which the European Commission has not made an “adequate protection” decision. In such cases, RESA ensures that the transfer is carried out in accordance with the applicable regulations and guarantees an adequate level of protection for the privacy and fundamental rights of the data subjects (in particular by means of the European Commission’s standard contractual clauses). You will find more details on this subject in the table listing our service providers.
3. Security of your data
RESA is committed to protecting the Personal Data of its users.
RESA takes appropriate technical and organizational measures, in accordance with the applicable legal provisions (in particular Article 32 of the GDPR), to protect your Personal Data against destruction, loss or alteration, misuse and unauthorized access, modification or disclosure, whether such actions are unlawful or accidental. To this end, we have put in place technical measures (such as firewalls) and organizational measures (such as a login/password system, physical protection measures, etc.) to ensure the continuous confidentiality, integrity, availability and resilience of processing systems and services. When you transmit credit card information during your booking, encryption technology helps to keep your transactions secure. Organizational measures ensure data is processed securely.
More specifically, RESA systematically encrypts your personal data when they are sent over networks to ensure confidentiality and to prevent them from being intercepted by unauthorized third parties.
Logical access is granted only to automatic processes and employees requiring access to the data to process them.
We ask our subcontractors to provide an equivalent minimum level of protection.
4. Your rights
Under the regulations applicable to the protection of Personal Data and, in particular, the GDPR, individuals may exercise certain rights relating to their Personal Data, including:
- Right to be informed: This E-Boutique Privacy Policy informs our users about the nature and use of personal data;
- Right of access: You have the right to obtain a copy of the data that the Ritz Group holds about you and to inquire about:
- the purposes for which your data are used;
- the categories of data collected;
- the recipients or categories of recipients who have been able to access the data;
- the data retention period or the criteria determining that period;
- any other rights (right to rectification and to erasure, and the right to restrict processing and to object);
- the possibility of appealing to the competent data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL);
- any information relating to the source of data held that are not directly collected from you;
- any automated decision-making, including in the case of profiling, and the underlying rationale, importance and consequences for you of such a decision;
- whether your data are transferred to a third country (non-EU member) or to an international organization.
The E-Boutique Privacy Policy covers all the points on which you have the right to be informed. In addition, you can ask our Personal Data Protection Team (See Article 12, Contact us) to obtain a copy of the data that RESA holds concerning you.
- Right to rectification: You can rectify your personal data directly by logging in to your personal account.
- Right to erasure: At your request, RESA will anonymize your Personal Data so that you can no longer be identified, unless your data are currently being used (to process an order, manage payments, handle a complaint, comply with a tax obligation, etc.) such that retention is justified, or we are not allowed or we are required by law to retain certain Personal Data. To make this request, please contact our Personal Data Protection Team (see Article 12, Contact us).
- Right to restrict processing: You can ask us to temporarily or permanently stop processing some or all of your Personal Data; we will then comply with this request, provided you can demonstrate your interest in restricting the processing and that such data are not essential to our services.
- Right to object: You can ask us to stop processing your Personal Data for direct marketing purposes;
- Right to data portability: You can obtain a copy of your Personal Data from us in a structured, easily transferable electronic format. Not all data are subject to portability; only data relating exclusively to you is subject to this right.
- Right not to be subject to automated decision-making: We do not use automated decision-making.
For more information, please see the CNIL website (in French).
For the sake of confidentiality and to protect your personal data, we will need to confirm your identity before we respond to your request. In case of any reasonable doubt about your identity, you may be asked to attach a copy of an official identification document, such as an identity card or passport, to support your request.
All requests will be processed promptly and in accordance with the applicable law.
If you need any help, please contact the Personal Data Protection Team (see Article 12, Contact us).
5. Complaining to the data protection authority
If you believe your rights as a data subject have not been respected after contacting the Data Controller, you can lodge a complaint with the CNIL:
Commission Nationale de l’Informatique et des Libertés (CNIL)
3 place de Fontenoy
75334 Paris, France
Website: https://www.cnil.fr/fr/webform/adresser-une-plainte
6. Changes
We may occasionally amend this Policy to comply with regulatory, legal, editorial or technical developments. If applicable, we will change the “Last updated” date and indicate the date when the changes were made.
Where necessary, we will inform you and/or seek your consent.
We recommend that you check this page regularly for any changes or updates to our policy.
7. Contact us
If you have any questions after reading the E-Boutique Privacy Policy, you can contact the Data Protection Team at:
Ritz Group Services
Personal Data Protection Team
3 rue La Boétie, 75008 Paris, France
dpo@ritzgroupservices.com