Personal data protection policy

The French Environment and Energy Management Agency (“ADEME”, a state-funded industrial and  commercial establishment whose registered office is located at 20, avenue du Grésillé 49000 Angers,  takes the protection of Personal Data which it has to collect and process as data controller in the  scope of its activity very seriously.  

Hence, the collection and Processing of Personal Data carried out by ADEME in connection with the  operation of its activity and the use of its products or services (jointly the “Products or Services”), the  information or communication website which ADEME operates at the address www.ademe.fr, its  databases, its web applications offered as part of ADEME’s missions and requiring the creation of an  account and allowing a user/application interaction and its mobile applications (jointly the “Site”) are  governed by this date protection policy (referred to hereafter as the “Policy”).  

All Processing of Personal Data carried out as part of the accessible Services complies with the  regulations applicable in relation to the protection of Personal Data and in particular the provisions of  the French “Data Protection and Civil Liberties” Act of 6 January 1978 as amended and the General  Data Protection Regulation (EU Regulation 2016/679) (“GDPR”).  

In order to ensure the proper application of these rules, ADEME has appointed a data protection  officer who is the primary point of contact for the Commission nationale de l’informatique et des  libertés [French National Commission for Information Technology and Civil Liberties] (“CNIL”). ADEME  also implements the appropriate internal procedures to heighten its employees’ awareness to and  ensure compliance with these rules within its organisation.  

This purpose of this Policy is to present to the Data Subjects, as defined below:  – the way in which ADEME processes the Personal Data, as defined below, that it collects and  which the Data Subjects, as defined below, provide with their consent or based on any other  legal basis to allow the provision of ADEME’s Products or Services, in particular;  – the rights of the Data Subjects;  

– the possible beneficiaries of a data transfer.  

Data Subjects should therefore read this Policy carefully to get to know and understand ADEME’s  practices regarding the Processing of Personal Data that ADEME implements.  

1. Definitions  

The terms used with a capital letter have the definition which is given to them below. The terms have  the same definition whether they are used in the singular or in the plural.  

  • “Personal Data” means any information relating to an identified or identifiable natural person.  
  • “Data Subject(s)” means a natural person who can be identified, directly or indirectly,  particularly by reference to an identifier, such as a name, an identification number, location data, an online identifier, one or more elements specific to his/her physical, physiological,  genetic, psychic, economic, cultural or social identity.  
  • “Data Controller” means ADEME which is the legal entity which, jointly or independently,  decides on the aims and means of the processing.  
  • “Service” means the services provided by ADEME.  
  • “Site” means all web pages and related resources accessible at https://www.ademe.fr/.  
  • “Processing” means any operation or any set of operations carried out with or without the help  of automated processes and applied to Personal Data or sets of Personal Data, such as the  collection, recording, organising, structuring, storage, adaptation or modification, extraction,  consultation, use, communication by transmission, dissemination or any other form of making  available, alignment or interconnection, limitation, erasure or destruction.  

2. What are ADEME’s undertakings in relation to the protection of  Personal Data?  

ADEME undertakes to guarantee a high level of protection of the Personal Data of the Data Subjects  who use the Site and other Products or Services and of any other Data Subject whose Personal Data it  processes.  

ADEME undertakes to comply with the regulations (in particular Articles 5 and 6 of the GDPR)  applicable to all Processing of Personal Data that it carries out. More specifically, ADEME undertakes in  particular to comply with the following principles: 

  • the Personal Data is processed lawfully, fairly and in a transparent manner (lawfulness, fairness,  transparency);  
  • the Personal Data is collected for specified, explicit and legitimate purposes, and is not  subsequently processed in a manner that is incompatible with those purposes (purpose  limitation);  
  • the Personal Data is kept in an appropriate and relevant manner and is limited to what is  necessary in relation to the purposes for which it is processed (data minimisation);  – the Personal Data is accurate, kept up to date and all reasonable measures are taken to ensure  that inaccurate data, with regard to the purposes for which it is processed, is erased or  rectified without delay (accuracy).  

ADEME uses the appropriate technical and organisational measures to guarantee a suitable level of  security for the risk inherent to its Processing operations, to meet the regulatory requirements and to  protect the rights and the Personal Data of the Data Subjects from the very design of the Processing  operations.  

Moreover, ADEME contractually imposes the same level of Personal Data protection on its  subcontractors (service providers, suppliers, etc.).  

Finally ADEME undertakes to comply with any other binding principle under the applicable regulations  relating to the protection of Personal Data, and more specifically concerning the rights granted to the  Data Subjects, the Personal Data retention times and the obligations relating to cross-border transfers  of Personal Data. 

3. What categories of Personal Data are collected?  

With regard to the use of its products or services and its Site, various types of Personal Data may be collected by ADEME.  

Mainly, the data collected corresponds to the following categories:  

  • Identification data : surname, first name, pseudonym, date of birth;  
  • Contact details : fixed or mobile telephone number, postal address, email address.  

4. Means of collecting Personal Data  

The Data Subjects may communicate their Personal Data to ADEME by various means and particularly  on the Sites whilst browsing the Internet and via the Products or Services, by filling in various data collection forms, when subscribing to a newsletter, when creating an account, when submitting an  application, at the time of any contact with ADEME or during any other transmission of Personal Data  in other circumstances.  

5. Processing purposes and legal bases  

The purposes of the Processing of Personal Data by ADEME are based on the following legal bases: the  contractual execution, the consent of the Data Subjects, the legal and regulatory obligations of  ADEME, its legitimate interest.  

The purposes related to each legal basis are listed below:  

– Based on the execution of pre-contractual measures taken at the request of the Data Subjects  and/or on the execution of the contract they have signed, ADEME implements Treatments with  the following purposes:  

o the management of the relationship of the users of the Site with ADEME, including in  particular:  

▪ the creation of a user account;  

▪ the use of the site and the services it offers;  

▪ the management of communications and the follow-up of exchanges with users.  

– Based on the consent of the Data Subjects, ADEME implements Treatments with the following  purposes:  

o the provision of personalized Services such as announcements, newsletters, training,  etc.;  

o the provision of optional Services such as interactive discussion forums or chats;  o the management of user participation in games and contests;  

o the management of cookies subject to consent.  

– Based on the respect of its legal and regulatory obligations, ADEME implements Treatments  with the following purposes:  

o the development of Products and Services allowing to facilitate the accomplishment of  the administrative formalities necessary to the treatment of the requests of the Net  surfers and users;  

o the management of responses to official requests from public or judicial authorities  empowered for this purpose;  

o the respect of the applicable regulations to our activity;  

o the management of requests to exercise rights.  

– On the basis of its legitimate interests, ADEME implements Treatments with the following aims: 

o the development and improvement of new Products or Services and offers of Products  or Services to Internet users and/or benefiting the public;  

o the fight against fraud, abuse, including also the management of the consequences of  such fraud or abuse;  

o the management of security breaches or any technical problems encountered by the  Products or Services;  

o carrying out commercial canvassing operations for professionals;  

o the management of customers or employees within a group of companies for internal  administrative management purposes;  

o the management of user requests for information and complaints;  

o the establishment of any means of proof needed to defend ADEME’s rights;  o the management of cookies not subject to consent.  

6. For how long is the Personal Date kept?  

ADEME undertakes to keep the Data Subjects’ Personal Data for a period not exceeding that needed  to fulfil the purposes for which it is processed, increased by the statutory limitation period. In  addition, ADEME shall keep the Data Subjects’ Personal Data in accordance with the retention times  imposed by the applicable laws in force, as appropriate.  

More specifically, ADEME organises its data retention policy as follows: 

PURPOSE RETENTION PERIOD
Management of the relationship  of the users of the Site with  ADEME The data are retained throughout the duration of the  contractual relationship: the lifetime of the user account or the  last incoming contact (connection or modification to the  personal space), plus the duration of the acquisition of the legal  requirements.  The statute of limitations under general law in civil and  commercial matters is five (5) years from the end of the  contract. 
Provision of personalized Services The data are retained for three (3) years from the last incoming  contact. 
Provision of optional Services The data are retained for three (3) years from the last incoming  contact. 
Management of user participation  in games and contests The data are retained for three (3) years from the last incoming  contact. 
The development of Products and  Services allowing to facilitate the  accomplishment of the  administrative formalities  necessary to the treatment of the  requests of the Net surfers and  users The data are retained throughout the duration of the  achievement of the administrative formalities, increased by the  duration of acquisition of the legal requirements.  The statute of limitations under general law in civil and  commercial matters is five (5) years from the end of the  contract. 
Management of responses to  official requests from authorized  public or judicial authorities The data are retained throughout the duration of the  investigation by the authorities. 
Gestion des demandes d’exercice  de droits The data are retained for one (1) or six (6) years, according to  the right exercised 
The fight against fraud, abuse Data may be retained for up to twelve (12) months from the  issuance of alerts before being qualified.  Alerts qualified as irrelevant or unqualified at the end of the  twelve (12) month period are deleted. Qualified alerts are retained for a maximum of five (5) years  from the closing of the fraud file. For persons on a list of known  fraudsters, their data are deleted after five (5) years from the  date of inclusion on the list.  If legal proceedings have been instituted, the data are retained  until the end of the legal proceedings, plus the period of  acquisition of the legal requirements.  The statute of limitations under ordinary law in civil and  commercial matters is five (5) years from the end of the  contract. 
Management of Security breaches Computer traces are retained for thirteen (13) months.
carrying out commercial  canvassing operations for  professionals The data are retained for three (3) years from the last incoming  contact. 
Management of customers or  employees within a group of  companies for internal  administrative management  purposes The data are retained throughout the entire duration of the  contractual relationship, plus the period of acquisition of the  legal requirements.  The statute of limitations under general civil and commercial  law is five (5) years from the end of the contract.
Management of user requests for  information and complaints In the case of a contractual relationship with ADEME, the data  are retained throughout the duration of the contractual  relationship, plus the period of acquisition of the legal  requirements.  The statute of limitations under general law in civil and  commercial matters is five (5) years from the end of the  contract.  In the absence of a contractual relationship with ADEME, the  data are retained for three (3) years from the last incoming  contact. 
Establishment of any means of  proof needed to defend ADEME’s  rights In the case of a contractual relationship with ADEME, the data  are retained throughout the duration of the contractual  relationship, plus the period of acquisition of the legal  requirements.  The statute of limitations under general law in civil and  commercial matters is five (5) years from the end of the  contract.  In the absence of a contractual relationship with ADEME, the  data are retained for three (3) years from the last incoming  contact. 
Management of cookies The duration of data retention may not exceed thirteen (13)  months. 

7. Who may access the Data Subjects’ Personal Data?  

Recipients of the Data Subjects’ Personal Data  

The data collected on ADEME’s Site and Products or Services and by any other means may be  communicated to ADEME’s authorised staff, its partners or its service providers, in connection with the fulfilment of all or part of the service provisions. ADEME points out that, in this regard, its service  providers are contractually bound to set up strict measures for the confidentiality and protection of  such data. Furthermore, the ADEME may be obliged to provide personal information to authorised  French or foreign public authorities.  

Transfers of data outside of the European Union  

Some of the recipients mentioned above may be based outside of the European Union and may have  access to all or part of the personal information collected by ADEME because of a specific legal  authorisation.  

In this regard, ADEME undertakes to guarantee the protection of the Data Subjects’ Personal Data in  accordance with the strictest rules particularly through the signing, on a case by case basis, of  contractual clauses based on the European Commission’s template, or any other mechanism in line  with the GDPR, if the Data Subjects’ Personal Data is processed by a service provider outside of the  European Economic Area and whose country is not considered by the European Commission as  ensuring an appropriate level of protection.  

In any case, ADEME undertakes to advise the Data Subjects in advance in the event of the transfer of  data outside of the European Union.  

8. How are the rights accorded to Data Subjects exercised?  

In accordance with the GDPR, the Data Subjects may, at any time, exercise their rights to access,  rectify and delete the data concerning them and also their rights to limit and object to the Processing  and to the portability of their Personal Data.  

In addition, when the Processing of Personal Data implemented by ADEME is based on the consent of  the Data Subjects, the Data Subjects can withdraw it at any time. ADEME shall then cease to process  the Data Subjects’ Personal Data without compromising the previous operations for which the Data  Subjects had given their consent.  

Furthermore, the Data Subjects may legally have the right to set post mortem instructions relating to  the retention, the erasure and the communication of their Personal Data, and this from a trusted third party, certified and responsible for enforcing their will, in accordance with the requirements of the  applicable legal framework.  

Also, any Data Subject who is a minor when the Personal Data is collected can obtain the erasure  thereof as quickly as possible.  

Data Subjects may request to exercise their right to object to the Processing of Personal Data  concerning them for reasons relating to their particular situation when the Processing is based on the legitimate interest of ADEME. This right of opposition also applies to profiling.    In case of exercise of such a right of opposition, ADEME will cease Processing except when there are  legitimate and imperative reasons for the Processing that prevail over the interests, rights and  freedoms of the Data Subjects or for the establishment, exercise or defense of a right in court.  The Data Subjects may also object to any Processing related to canvassing without it being necessary  to invoke reasons relating to their particular situation. 

As part of the right of access, ADEME may request from the Data Subjects to pay a reasonable fee  based on administrative costs for any additional copy of the data to that which will be communicated.  

These rights shall be exercised by post to the following address:  

 ADEME 

 Délégué à la Protection des Données/Data Protection Officer  

 20, avenue du Grésillé — BP 90406 – 49004 Angers Cedex 01  

 Or by Email at the following address: rgpd@ademe.fr 

In this regard, Data Subjects are kindly asked to attach to the requests the information needed to  identify them (surname, first name, email), together with any other information needed to confirm  their identity.  

For some specific Services, these rights may be exercised directly online (management of your user  account, management of your subscriptions to newsletters, to the news, etc.).  

Should the applicable regulations regarding the protection of Personal Data be breached, the Data  Subjects shall also have a right of complaint with the CNIL on French territory (3 place de Fontenoy – TSA 80715 – 75334 Paris cedex 07 ; tél. : 01 53 73 22 22), without prejudice to any other administrative  or judicial right of recourse.  

9. IT security / making transactions secure  

ADEME uses all relevant technical and organisational measures, in the light of the nature, the scope  and the context of the Personal Data that you pass on to us and of the risks presented by the  processing thereof, to preserve the security of your Personal Data and, in particular, to prevent any  destruction, loss, alteration, disclosure, intrusion or unauthorised access to such data, accidentally or  illegally.  

The security and the confidentiality of the Personal Data rely on the good practices of everyone. This is why the Data Subjects are asked not to pass on their passwords to third parties, to log out  systematically of their profile and their corporate account (particularly in the event of linked accounts)  and to close their browser window at the end of their work session, particularly if the Internet is  accessed from a computer workstation shared with other people.  

10. Personal Data concerning minors  

ADEME does not collect or process Personal Data relating to children less than 16 years old without the  prior agreement of the child’s parents or guardians.  

If Personal Data concerning children is collected via the ADEME’s Site and/or the Services or Products,  the parents or guardians can object to this by contacting ADEME at the address indicated above.  

Also, as mentioned above, children who are minors when the Personal Data is collected can obtain the  erasure thereof as quickly as possible.  

11.Links to access other sites  

On various pages of ADEME’s Site it is possible to click to access websites of other companies. ADEME  recommends that you read the policy of such sites relating to the processing and the protection of  Personal Data, because the conditions on such sites can differ from those applicable on the ADEME’s  Site. and the latter shall not under any circumstance be liable for the processing of Personal Data by such other websites. 

12. Amendments  

ADEME reserves the right to adapt this Policy.  

If ADEME amends this Policy, it shall publish the new version on the relevant media and update the  “last update” date that appears at the top of this Policy.  

ADEME encourages you to check, on a regular basis, the relevant media where the Policy is published.