B.R. SAS is very attached to the issue of the management of personal data which can be dealt with by it, in particular under the European Parliament and The Council’s 27 April 2016 European Regulation and the Council on the protection of individuals with regard to the processing of personal data and the free movement of such data (RGPD).
These conditions are intended to determine the guidelines that govern the processing of Personal Data by B.R. SAS
B.R. SAS is committed to dealing withPersonal Data by following the principles of lawfulness, loyalty, transparency, proportionality,minimisation, security.
Personal data is collected for specific, explicit and legitimate purposes, and dealt with in an appropriate, relevant and limited manner to what is necessary in terms of the purposes for which it isused.
Personal data is kept in a form that allows the identification of the persons concerned for a period not exceeding that necessary in view of the purposes for which it is processed.
Personal data or Data: Toute information relating to an identified or identifiable individual (hereafter referred to as “Person concerned”) directly or indirectly.
Processing Manager: B.R. SAS with the capital of €750,000 registered in the Register of Commerce and Companies of Paris under the number 499 386 753 whose head office is 28 Rue de la Procession, 92150-Suresnes, which determines the purposes and means of the treatment.
Subcontractor: The individual or corporation, which deals with personal data on behalf of the processor or another subcontractor.
Recipient: The individual or corporation that receives disclosure of personal data, whether or not it is a third party.
Consent: any expression of will, free, specific, enlightened and unambiguous by which the person concerned by the processing of personal data accepts, by a statement or by a clear positive act, that personal data concerning him be treated.
2. WHAT B.R. SAS IS LIKELY TO HANDLE?
We are likely to collect data such as: first and last name, e-mail address, Sex, Phone number, Postal address, Age/date of birth, followed by a relationship, billing data, Bank details, login data, health related data.
Mainly the data processed is based on information collected directly from you. If we have information collected by third parties, we will inform you of the source of the data every time you communicate with you.
How we collect data:
We may collect or receive data in lots of different ways. Here is an explanation of the main ways we do this:
You may give us data in person when you are a guest at one of our centers.
You may give us data in person when you’re a guest at one of our centers, for example when you:
• check-in and check-out;
• make use of our facilities and services;
• make use of our concierge services;
• attend our events;
• enter a competition, promotion or survey;
• complete a contact details card; and/or
• give us your business card.
You may give us data remotely when you interact with us.
You may give us data remotely when you interact with us via this website, by post, phone or email, or through chat or social media. For example, when you:
• sign up to receive our newsletter or other information.;
• make enquiries or request information, or correspond with us generally;
• create an account on our website;
• book spa/center’s treatments or services;
• buy items from our e-commerce;
• engage with us on social media;
• enter a competition, promotion or survey;
• leave comments or reviews; and/or
• register for some of our business services.
We may get some data automatically
When you interact with us, we may get some data automatically, including via this website. For example, that could be data about your equipment, browsing or the way you use this website.
The systems we use for guest management may also collect data automatically to help create a guest profile, which in turn gives us a better understanding of how we can improve your experience with us.
We may get some data from third parties as part of the booking for treatments or services at our centers.
We may receive data about you from various other types of third parties, including:
• from technology partners who help us run our website and mailing list sign-ups;
• from providers of payment and fraud prevention services;
• from analytics providers, advertising networks and search information providers;
• from data partners;
• from feedback and review partners;
• from publicly available sources;
• from social media, where privacy settings are set to public;
• from third parties to whom you have given permission to share your data with us; and/or
• from any third parties who are permitted by law to share your personal data with us.
Types of personal data we collect:
How we collect data above explained the different ways we might obtain or receive data. Some of that data may be personal data, so please read below to understand the different types we may collect about you. Of course, the types of personal data we collect will depend on how you interact with us.
Personal data, or personal information, means any information about an individual, which can be used to identify that person. It does not include data where the identity has been removed (anonymous data).
We collect a variety of personal information about our guests, customers and visitors to our website. As our website is not intended for children, we do not knowingly collect data relating to children.
This personal data falls into these categories:
• Identity Data includes title, gender, first name, maiden name, last name, marital status, date of birth, username or similar identifier and an encrypted version of your login/password. If you interact with us through social media, this may include your social media user name.
• Contact Data includes billing address, delivery address, email address and telephone numbers.
• Financial Data includes payment card and direct debit/bank account details.
• Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
• Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses, as well as any data which we have added (for example, using analytics and profiling).
• Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
• Usage Data includes information about how you use our website, products and services.
• Tracking Data includes information we or others collect about you from cookies and similar tracking technologies, such as web beacons, pixels, and mobile identifiers.
• Sensitive data includes data related to health to analyse, prescribe the products and follow the improvements,discomfort during the ongoing skin/health treatment and data related to religion (in some cases) to follow the eating habits.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature.
We do not ordinarily collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. The only exceptions to this are: (i) if you provide health data to us as part of a skin care/treatment booking, we will use this to perform our contract with you, and we need your explicit consent to use your health data as part of that; or (ii) you have made the special category data obviously public.
Remember, if you choose not to share personal data with us, or refuse certain contact permissions, we might not be able to provide the products and services you’ve asked for.
3. FOR WHICH FINALITES ARE THE DATA COLLECTED AND PROCESSED BY B.R. SAS?
B.R. SAS is likely to collect and process your data for the following purposes:
• supply of products and services ordered from B.R. SAS
• presentation of B.R. SAS’s products and services
• After-sales service and consumer relations
• Update and improve the tools/products/services offered and used by B.R. SAS
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
• Where we need to perform the contract we are about to enter into or have entered into with you. For example, when you make a booking at one of our centers, that’s a contract.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. For example, when we carry out fraud screening as part of the check-out process or take steps to keep our website secure.
• Where we need to comply with a legal or regulatory obligation. For example, keeping records of our sales for tax compliance.
When we are considering legitimate interests, we make sure we think about and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
Generally, we do not rely on consent as a legal basis for processing your personal data other than where the law requires it, for example in relation to sending certain direct communications. Where our legal basis is consent, you have the right to withdraw consent any time.
See How and why we use your personal data below for more detailed information.
to see a table explaining how we use your personal data, the types of personal data that applies to and why it is we can do this. When we explain why, we will identify the relevant category from explaining the legal bases for using personal data above, and, where it’s based on being able to do so for our legitimate interests, we will highlight what that legitimate interest is.
We may process your personal data for more than one legal basis depending on how we are using it.
How we are using the personal data
|What types of personal data do we use to do that||Why it is that we can do that||To provide you with the item you have booked or ordered|
|Identity, Contact, Financial, Transaction, Marketing and Communications||Performance of a contract with you. Necessary for our legitimate interests (including to administer our business and keep records)||To process and take orders from the gifts & experiences webshop|
|Identity, Contact, Financial, Transaction, Marketing and Communications||Performance of a contract with you. Necessary for our legitimate interests (including to administer our business and keep records)||To register you as a new guest or website visitor|
|Identity and Contact||Performance of a contract with you||To process and book skin care/treatment or service you have booked or ordered|
|Identity, Contact, Financial, Transaction, Marketing and Communications||Performance of a contract with you. Necessary for our legitimate interests (including to administer our business and keep records)||To provide you with the hospitality, spa treatment or service you have booked or ordered|
|Identity, Contact, Financial, Transaction, Marketing and Communications||Performance of a contract with you. Necessary for our legitimate interests (including to administer our business and keep records). Where you provide health data to us as part of a skin care/treatment booking, we will use this to perform our contract with you, but also because we have asked you for your explicit consent.||To manage payments, fees and charges, and to collect and recover money owed to us|
|Identity and Contact||Performance of a contract with you, Necessary to comply with a legal obligation and Necessary for our legitimate interests (to keep our records updated)||To ask you to leave a review or take a survey|
|Identity, Contact, Profile, Marketing and Communications||Necessary for our legitimate interests (to study how our guests and website visitors use our accommodation, hospitality, skin care/treatment treatment and services)||To enable you to take part in a prize draw or competition|
|Identity, Contact, Profile, Usage, Marketing and Communications||Consent||To deliver relevant website content and measure or understand the effectiveness of the content we deliver|
|Identity, Contact, Profile, Usage, Marketing and Communications, Technical and Tracking||Necessary for our legitimate interests (to provide information about our skin care/treatment and services, and to study how our website visitors use our website and information to inform our website and general business strategy)||To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)|
|Identity, Contact, Technical and Tracking||Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud) Necessary to comply with a legal or regulatory obligation||To use data analytics to understand our business, including to improve our website, to improve our accommodation, hospitality, skin care/treatment and services, to improve our marketing, and to improve our guest and website visitor relationships|
|Technical and Usage||Necessary for our legitimate interests (to understand and define types of guests for our skin care/treatment and services, to understand and define our website content, to develop our business and to inform our strategy)||To make suggestions and recommendations to you about skin care/treatment and services that may be of interest to you|
|Identity, Contact, Technical, Usage and Profile||Necessary for our legitimate interests (to develop our skin care/treatment and services and grow our business)||To prevent and detect unlawful acts|
|Identity, Contact, Financial, Transaction, Technical and Tracking||Necessary for our legitimate interests (to protect our business and our guests and website visitors by undertaking fraud monitoring and suspicious transaction monitoring)||Necessary to comply with a legal or contractual obligation to share personal data for the purposes of law enforcement|
|In order to resolve legal claims or disputes involving you or us||All relevant data categories, depending on the nature of the allegation or claim||Necessary to bring or defend a claim|
4. ON THE LEGAL BASIS THE DATA ARE COLLECTED AND PROCESSED?
B.R. SAS is likely to collect and reprocess data based on three bases: your consent, the legitimate interest of B.R. SAS, the execution of a contract between you and B.R.SAS.
Such a legitimate interest could, for example, exist where there is a relevant and appropriate relationship between the person concerned and the person in charge of the treatment in situations such as those where the person concerned is a client of the person in charge of the treatment or one of its attendants.
For example: the processing of personal data that is strictly necessary for prospecting purposes.
The mandatory or optional nature of the data collection will always be indicated at the time of the collection of the relevant data.
In addition, the collection of certain data may be imposed for a regulatory or contractual reason.
5. HOW DO YOU EXERCISE YOUR RIGHTS?
Individuals will be able to assert their right to request access to the Data, the correction or erasure of the Data, the portability of the Data to a tiers, the limitation of processing and to oppose the Processing by e-mail requesting it at an email address specially created for processing purposes.
• By email to: [email protected]
• Complaint service with CNIL
3 Fontenoy Square – TSA 80715 – 75334 PARIS CEDEX 07
Tel: 01 53 73 22 22 /Fax: 01 53 73 22 00
Or at www.cnil.fr/fr/plaintes or www.cnil.fr
A copy of an ID may be requested if necessary.
In the event of opposition to thet-processing or transmission of erroneous or fanciful data, the services related to the collection of the Data will not be able to be rendered, since B.R. SAS cannot in any way incur liability in this regard.
6. WHO ARE THE RECIPIENTS OF THE DONATIONS?
The data collected will be processed by the employees of B.R. SAS or the BIO RECHERCHE sales outlets who are entitled, depending on their position, to have access and process the data.
In some cases, the data collected may be processed by subcontractors or partners of B.R. SAS only within the limits necessary to carry out the tasks entrusted to them.
B.R. SAS strictly requires its subcontractors or partners to process Personal Data only to manage the services i aredependent on them. B.R. SAS also asks these providers or partners to always act in accordance with applicable privacy laws and to pay particular attention to the confidentiality and security of this data.
The data may be communicated by B.R. SAS to the administration, the courts, the state services in accordance with the legal and regulatory provisions.
7. WHERE ARE THE DATA STORED?
Personalonnate devices are stored either on B.R. SAS’s servers or on our service providers’ servers but exclusively on the territory of the European Union.
8. HOW LONG ARE THE DETAILS KEPT?
Personal data is kept for the following lengths of time:
• Customer data: during the duration of the relationship, the legal time to prescribe and maintain is necessary.
• Advertising/prospecting data: 2 years from the last contact
• Logs/website data: 2 years
In any event, they are kept in a form that allows the identification of the persons concerned for a period not exceeding that necessary in view of the purposes for which they are treated.
If you choose not to give us your personal data:
When you make a booking with us for skin care/treatments or other services, we may need to collect some of your personal data by law, or under the terms of a contract we have with you. This means that if you decide not to give us your data, we might not be able to provide the service, and may have to cancel your booking or purchase. We will let you know if this is the case at the time, so you can decide what you’d like to do.
9. THE SECURITY OF THE CASE
B.R. undertakes to ensure that all security and privacy measures meet the security standards that can reasonably be expected in light of the state of the art and applicable regulations, including hardware, software and logic, necessary to ensure the preservation and integrity of Personal Data and the security and protection of data from accidental or unlawful destruction, accidental loss, tampering, disclosure or unauthorized access.
We also make sure that only people with a business need to know are able to access your data, including employees, agents, contractors and other third parties. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Unfortunately, sending information over the internet is not completely secure. Although we will do our best to protect your personal data, we cannot completely guarantee the security of your data transmitted to our site.
Third party links:
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
Finally, a small request:
To help you get the most from your Biologique Recherche experience, it’s important that your personal data is accurate and up to date. If anything changes during your relationship with us, please let us know. Thank you.