Personal data protection policy
Updated on 1st June 2020
The Agence de l’Environnement et de la Maitrise de l’Energie [The French Environment and Energy Management Agency] ("ADEME"), a state-funded industrial and commercial establishment whose registered office is located at 20, avenue du Grésillé 49000 Angers, takes the protection of personal data which it has to collect and process as part of its activity very seriously.
All processing of personal data carried out as part of the accessible services complies with the regulations applicable in relation to the protection of personal data and in particular the provisions of the French "Data Protection and Civil Liberties" Act of 6$January$1978 as amended and the General Data Protection Regulation (EU Regulation 2016/679) ("GDPR").
In order to ensure the proper application of these rules, ADEME has appointed a data protection officer who is the primary point of contact for the Commission nationale de l’informatique et des libertés [French National Commission for Information Technology and Civil Liberties] ("CNIL"). ADEME also implements the appropriate internal procedures to heighten its employees' awareness to and ensure compliance with these rules within its organisation.
This purpose of this Policy is to present to the Data Subjects, as defined below:
- the way in which ADEME processes the Personal Data, as defined below, that it collects and which the Data Subjects, as defined below, provide with their consent or based on any other legal basis to allow the provision of ADEME's Products or Services, in particular;
- the rights of the Data Subjects, as defined below;
- the possible beneficiaries of a data transfer.
Data Subjects should therefore read this Policy carefully to get to know and understand ADEME's practices regarding the processing of Personal Data that ADEME implements.
DefinitionsThe terms used with a capital letter have the definition which is given to them below. The terms have the same definition whether they are used in the singular or in the plural:
- "Personal Data" means any information relating to an identified or identifiable natural person;
- "Data Subject(s)" means a natural person who can be identified, directly or indirectly, particularly by reference to an identifier, such as a name, an identification number, location data, an online identifier, one or more elements specific to his/her physical, physiological, genetic, psychic, economic, cultural or social identity;
- "Data Controller" means ADEME which is the legal entity which, jointly or independently, decides on the aims and means of the processing;
- "Processing" means any operation or any set of operations carried out with or without the help of automated processes and applied to personal data or sets of personal data, such as the collection, recording, organising, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, alignment or interconnection, limitation, erasure or destruction.
What are ADEME's undertakings in relation to the protection of personal data?ADEME undertakes to guarantee a high level of protection of the personal data of the Data Subjects who use the Sites and other Products or Services and of any other person whose Personal Data it processes.
ADEME undertakes to comply with the regulations (in particular Articles 5 and 6 of the GDPR) applicable to all processing of Personal Data that it carries out. More specifically, ADEME undertakes in particular to comply with the following principles:
- the Personal Data is processed lawfully, fairly and in a transparent manner (lawfulness, fairness, transparency);
- the Personal Data is collected for specified, explicit and legitimate purposes, and is not subsequently processed in a manner that is incompatible with those purposes (purpose limitation);
- the Personal Data is kept in an appropriate and relevant manner and is limited to what is necessary in relation to the purposes for which it is processed (data minimisation);
- the Personal Data is accurate, kept up to date and all reasonable measures are taken to ensure that inaccurate data, with regard to the purposes for which it is processed, is erased or rectified without delay (accuracy).
ADEME uses the appropriate technical and organisational measures to guarantee a suitable level of security for the risk inherent to its processing operations, to meet the regulatory requirements and to protect the rights and the Personal Data of the Data Subjects from the very design of the processing operations.
Moreover, ADEME contractually imposes the same level of Personal Data protection on its subcontractors (service providers, suppliers, etc.).
Finally ADEME undertakes to comply with any other binding principle under the applicable regulations relating to the protection of personal data, and more specifically concerning the rights granted to the Data Subjects, the Personal Data retention times and the obligations relating to cross-border transfers of Personal Data.
What categories of Personal data are collected?With regard to the use of its products or services and its websites, various types of personal data may be collected by ADEME.
Mainly, the data collected corresponds to the following categories:
- Surname, first name, pseudonym, date of birth;
- Fixed or mobile telephone number, postal address, email address.
Means of collecting Personal DataThe Data Subjects may communicate their Personal data to ADEME by various means and particularly on the Sites whilst browsing the Internet and via the Products or Services, by filling in various data collection forms, when subscribing to a newsletter, when creating an account, when submitting an application, at the time of any contact with ADEME or during any other transmission of Personal data in other circumstances.
Processing purposes and legal basesThe purpose of the Processing of Personal Data by ADEME includes, but is not limited to, allowing Internet browsers and users to benefit from all of the services or benefits available on the Sites and Products or Services (creation of a user account, newsletter, etc.), allowing browsing on its Sites, facilitating the completion of the administrative formalities needed to process applications of Internet browsers and users, getting in contact with the Internet users for various matters through interactive discussion areas, purchases, games, competitions, information letters, answers to Internet user questions.
ADEME processes Data Subjects' information for the purposes described in this Policy and in accordance with the following legal bases:
- with the Data Subjects' consent to process their Personal Data for specific purposes. For example, ADEME can ask for the authorisation to provide customised Services, such as advertisements, newsletters, training, etc.
- for the purposes of the legitimate interests pursued by ADEME as they may develop depending on specific situations. This includes in particular the purposes relating to the development and the improvement of new Products or Services and offers of Products or Services to Internet users and/or benefiting the public, purposes needed to detect, avoid or address fraudulent activities, abuses, breaches of security or any problem of a technical nature encountered by the Products or Services, those needed for marketing operations aimed at professionals, those relating to clients or employees within a group of companies for internal administrative management purposes, etc.
- pursuant to a contract to which the Data Subjects are parties or for the fulfilment of pre-contractual measures taken at their request.
For how long is the Personal Date kept?ADEME undertakes to keep the Data Subjects' Personal Data for a period not exceeding that needed to fulfil the purposes for which it is processed. In addition, ADEME shall keep the Data Subjects' Personal Data in accordance with the retention times imposed by the applicable laws in force, as appropriate.
These retention times are defined in accordance with the processing purposes implemented by ADEME and take account, in particular, of the applicable legal provisions that impose a specific retention time for some categories of data, the possible limitation periods applicable and the recommendations of the CNIL concerning certain data processing categories.
Who may access the Data Subjects' Personal Data?
Recipients of the Data Subjects' Personal DataThe data collected on ADEME's Sites and Products or Services and by any other means may be communicated to ADEME's authorised staff, its partners or its service providers, in connection with the fulfilment of all or part of the service provisions. ADEME points out that, in this regard, its service providers are contractually bound to set up strict measures for the confidentiality and protection of such data. Furthermore, the ADEME may be obliged to provide personal information to authorised French or foreign public authorities.
Transfers of data outside of the European UnionSome of the recipients mentioned above may be based outside of the European Union and may have access to all or part of the personal information collected by ADEME because of a specific legal authorisation.
In this regard, ADEME undertakes to guarantee the protection of the Data Subjects' Personal Data in accordance with the strictest rules particularly through the signing, on a case by case basis, of contractual clauses based on the European Commission's template, or any other mechanism in line with the GDPR, if the Data Subjects' Personal Data is processed by a service provider outside of the European Economic Area and whose country is not considered by the European Commission as ensuring an appropriate level of protection.
In any case, ADEME undertakes to advise the Data Subjects in advance in the event of the transfer of data outside of the European Union.
How are the rights accorded to Data Subjects exercised?In accordance with the GDPR, the Data Subjects may, at any time, exercise their rights to access, rectify and delete the data concerning them and also their rights to limit and object to the processing and to the portability of their Personal Data.
In addition, when the processing of Personal Data implemented by ADEME is based on the consent of the Data Subjects, the Data Subjects can withdraw it at any time. ADEME shall then cease to process the Data Subjects' Personal Data without compromising the previous operations for which the Data Subjects had given their consent.
Furthermore, the Data Subjects may legally have the right to set post mortem instructions relating to the retention, the erasure and the communication of their Personal Data.
Also, any person who is a minor when the Personal Data is collected can obtain the erasure thereof as quickly as possible.
These rights shall be exercised by post to the following address:
Délégué à la Protection des Données/Data Protection Officer
20, avenue du Grésillé — BP 90406 - 49004 Angers Cedex 01
In this regard, Data Subjects are kindly asked to attach to the requests the information needed to identify them (surname, first name, email), together with any other information needed to confirm their identity.
For some specific Services, these rights may be exercised directly online (management of your user account, management of your subscriptions to newsletters, to the news, etc.).
Should the applicable regulations regarding the protection of Personal Data be breached, the Data Subjects shall also have a right of recourse with the CNIL on French territory, without prejudice to any other administrative or judicial right of recourse.
IT security / making transactions secureADEME uses all relevant technical and organisational measures, in the light of the nature, the scope and the context of the personal data that you pass on to us and of the risks presented by the processing thereof, to preserve the security of your personal data and, in particular, to prevent any destruction, loss, alteration, disclosure, intrusion or unauthorised access to such data, accidentally or illegally.
The security and the confidentiality of the Personal Data rely on the good practices of everyone. This is why the Data Subjects are asked not to pass on their passwords to third parties, to log out systematically of their profile and their corporate account (particularly in the event of linked accounts) and to close their browser window at the end of their work session, particularly if the Internet is accessed from a computer workstation shared with other people.
Personal data concerning minorsADEME does not collect or process personal data relating to children less than 16 years old without the prior agreement of the child's parents or guardians.
If Personal Data concerning children is collected via the ADEME's Sites and/or the Services or Products, the parents or guardians can object to this by contacting ADEME at the address indicated above.
Also, as mentioned above, children who are minors when the Personal Data is collected can obtain the erasure thereof as quickly as possible.
Links to access other sitesOn various pages of ADEME's Sites it is possible to click to access websites of other companies. ADEME recommends that you read the policy of such sites relating to the processing and the protection of personal data, because the conditions on such sites can differ and ADEME shall not under any circumstance be liable for the processing of personal data by such other websites.
AmendmentsADEME reserves the right to adapt this Policy.
If ADEME amends this Policy, it shall publish the new version on the relevant media and update the "last update" date that appears at the top of this Policy.
ADEME encourages you to check, on a regular basis, the relevant media where the Policy is published.