Personal data protection policy
The French Environment and Energy Management Agency (“ADEME”, a state-funded industrial and commercial establishment whose registered office is located at 20, avenue du Grésillé 49000 Angers, takes the protection of Personal Data which it has to collect and process as data controller in the scope of its activity very seriously.
Hence, the collection and Processing of Personal Data carried out by ADEME in connection with the operation of its activity and the use of its products or services (jointly the “Products or Services”), the information or communication website which ADEME operates at the address www.ademe.fr, its databases, its web applications offered as part of ADEME’s missions and requiring the creation of an account and allowing a user/application interaction and its mobile applications (jointly the “Site”) are governed by this date protection policy (referred to hereafter as the “Policy”).
All Processing of Personal Data carried out as part of the accessible Services complies with the regulations applicable in relation to the protection of Personal Data and in particular the provisions of the French “Data Protection and Civil Liberties” Act of 6 January 1978 as amended and the General Data Protection Regulation (EU Regulation 2016/679) (“GDPR”).
In order to ensure the proper application of these rules, ADEME has appointed a data protection officer who is the primary point of contact for the Commission nationale de l’informatique et des libertés [French National Commission for Information Technology and Civil Liberties] (“CNIL”). ADEME also implements the appropriate internal procedures to heighten its employees’ awareness to and ensure compliance with these rules within its organisation.
This purpose of this Policy is to present to the Data Subjects, as defined below: – the way in which ADEME processes the Personal Data, as defined below, that it collects and which the Data Subjects, as defined below, provide with their consent or based on any other legal basis to allow the provision of ADEME’s Products or Services, in particular; – the rights of the Data Subjects;
– the possible beneficiaries of a data transfer.
Data Subjects should therefore read this Policy carefully to get to know and understand ADEME’s practices regarding the Processing of Personal Data that ADEME implements.
1. Definitions
The terms used with a capital letter have the definition which is given to them below. The terms have the same definition whether they are used in the singular or in the plural.
- “Personal Data” means any information relating to an identified or identifiable natural person.
- “Data Subject(s)” means a natural person who can be identified, directly or indirectly, particularly by reference to an identifier, such as a name, an identification number, location data, an online identifier, one or more elements specific to his/her physical, physiological, genetic, psychic, economic, cultural or social identity.
- “Data Controller” means ADEME which is the legal entity which, jointly or independently, decides on the aims and means of the processing.
- “Service” means the services provided by ADEME.
- “Site” means all web pages and related resources accessible at https://www.ademe.fr/.
- “Processing” means any operation or any set of operations carried out with or without the help of automated processes and applied to Personal Data or sets of Personal Data, such as the collection, recording, organising, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, alignment or interconnection, limitation, erasure or destruction.
2. What are ADEME’s undertakings in relation to the protection of Personal Data?
ADEME undertakes to guarantee a high level of protection of the Personal Data of the Data Subjects who use the Site and other Products or Services and of any other Data Subject whose Personal Data it processes.
ADEME undertakes to comply with the regulations (in particular Articles 5 and 6 of the GDPR) applicable to all Processing of Personal Data that it carries out. More specifically, ADEME undertakes in particular to comply with the following principles:
- the Personal Data is processed lawfully, fairly and in a transparent manner (lawfulness, fairness, transparency);
- the Personal Data is collected for specified, explicit and legitimate purposes, and is not subsequently processed in a manner that is incompatible with those purposes (purpose limitation);
- the Personal Data is kept in an appropriate and relevant manner and is limited to what is necessary in relation to the purposes for which it is processed (data minimisation); – the Personal Data is accurate, kept up to date and all reasonable measures are taken to ensure that inaccurate data, with regard to the purposes for which it is processed, is erased or rectified without delay (accuracy).
ADEME uses the appropriate technical and organisational measures to guarantee a suitable level of security for the risk inherent to its Processing operations, to meet the regulatory requirements and to protect the rights and the Personal Data of the Data Subjects from the very design of the Processing operations.
Moreover, ADEME contractually imposes the same level of Personal Data protection on its subcontractors (service providers, suppliers, etc.).
Finally ADEME undertakes to comply with any other binding principle under the applicable regulations relating to the protection of Personal Data, and more specifically concerning the rights granted to the Data Subjects, the Personal Data retention times and the obligations relating to cross-border transfers of Personal Data.
3. What categories of Personal Data are collected?
With regard to the use of its products or services and its Site, various types of Personal Data may be collected by ADEME.
Mainly, the data collected corresponds to the following categories:
- Identification data : surname, first name, pseudonym, date of birth;
- Contact details : fixed or mobile telephone number, postal address, email address.
4. Means of collecting Personal Data
The Data Subjects may communicate their Personal Data to ADEME by various means and particularly on the Sites whilst browsing the Internet and via the Products or Services, by filling in various data collection forms, when subscribing to a newsletter, when creating an account, when submitting an application, at the time of any contact with ADEME or during any other transmission of Personal Data in other circumstances.;
5. Processing purposes and legal bases
The purposes of the Processing of Personal Data by ADEME are based on the following legal bases: the contractual execution, the consent of the Data Subjects, the legal and regulatory obligations of ADEME, its legitimate interest.
The purposes related to each legal basis are listed below:
- Based on the execution of pre-contractual measures taken at the request of the Data Subjects and/or on the execution of the contract they have signed, ADEME implements Treatments with the following purposes;
- the management of the relationship of the users of the Site with ADEME, including in particular:
- the creation of a user account;
- the use of the site and the services it offers;
- the management of communications and the follow-up of exchanges with users.
- the management of the relationship of the users of the Site with ADEME, including in particular:
- Based on the consent of the Data Subjects, ADEME implements Treatments with the following purposes:
- the provision of personalized Services such as announcements, newsletters, training, etc.;
- the provision of optional Services such as interactive discussion forums or chats;
- the management of user participation in games and contests;
- the management of cookies subject to consent.
- Based on the respect of its legal and regulatory obligations, ADEME implements Treatments with the following purposes:
- the development of Products and Services allowing to facilitate the accomplishment of the administrative formalities necessary to the treatment of the requests of the Net surfers and users;
- the management of responses to official requests from public or judicial authorities empowered for this purpose;
- the respect of the applicable regulations to our activity;
- the management of requests to exercise rights.
- On the basis of its legitimate interests, ADEME implements Treatments with the following aims:
- the development and improvement of new Products or Services and offers of Products or Services to Internet users and/or benefiting the public;
- the fight against fraud, abuse, including also the management of the consequences of such fraud or abuse;
- the management of security breaches or any technical problems encountered by the Products or Services;
- carrying out commercial canvassing operations for professionals;
- the management of customers or employees within a group of companies for internal administrative management purposes;
- the management of user requests for information and complaints;
- the establishment of any means of proof needed to defend ADEME’s rights; o the management of cookies not subject to consent.
6. For how long is the Personal Date kept?
ADEME undertakes to keep the Data Subjects’ Personal Data for a period not exceeding that needed to fulfil the purposes for which it is processed, increased by the statutory limitation period. In addition, ADEME shall keep the Data Subjects’ Personal Data in accordance with the retention times imposed by the applicable laws in force, as appropriate.
More specifically, ADEME organises its data retention policy as follows:
PURPOSE | RETENTION PERIOD |
Management of the relationship of the users of the Site with ADEME | The data are retained throughout the duration of the contractual relationship: the lifetime of the user account or the last incoming contact (connection or modification to the personal space), plus the duration of the acquisition of the legal requirements. The statute of limitations under general law in civil and commercial matters is five (5) years from the end of the contract. |
Provision of personalized Services | The data are retained for three (3) years from the last incoming contact. |
Provision of optional Services | The data are retained for three (3) years from the last incoming contact. |
Management of user participation in games and contests | The data are retained for three (3) years from the last incoming contact. |
The development of Products and Services allowing to facilitate the accomplishment of the administrative formalities necessary to the treatment of the requests of the Net surfers and users | The data are retained throughout the duration of the achievement of the administrative formalities, increased by the duration of acquisition of the legal requirements. The statute of limitations under general law in civil and commercial matters is five (5) years from the end of the contract. |
Management of responses to official requests from authorized public or judicial authorities | The data are retained throughout the duration of the investigation by the authorities. |
Gestion des demandes d’exercice de droits | The data are retained for one (1) or six (6) years, according to the right exercised |
The fight against fraud, abuse | Data may be retained for up to twelve (12) months from the issuance of alerts before being qualified. Alerts qualified as irrelevant or unqualified at the end of the twelve (12) month period are deleted. Qualified alerts are retained for a maximum of five (5) years from the closing of the fraud file. For persons on a list of known fraudsters, their data are deleted after five (5) years from the date of inclusion on the list. If legal proceedings have been instituted, the data are retained until the end of the legal proceedings, plus the period of acquisition of the legal requirements. The statute of limitations under ordinary law in civil and commercial matters is five (5) years from the end of the contract. |
Management of Security breaches | Computer traces are retained for thirteen (13) months. |
carrying out commercial canvassing operations for professionals | The data are retained for three (3) years from the last incoming contact. |
Management of customers or employees within a group of companies for internal administrative management purposes | The data are retained throughout the entire duration of the contractual relationship, plus the period of acquisition of the legal requirements. The statute of limitations under general civil and commercial law is five (5) years from the end of the contract. |
Management of user requests for information and complaints | In the case of a contractual relationship with ADEME, the data are retained throughout the duration of the contractual relationship, plus the period of acquisition of the legal requirements. The statute of limitations under general law in civil and commercial matters is five (5) years from the end of the contract. In the absence of a contractual relationship with ADEME, the data are retained for three (3) years from the last incoming contact. |
Establishment of any means of proof needed to defend ADEME’s rights | In the case of a contractual relationship with ADEME, the data are retained throughout the duration of the contractual relationship, plus the period of acquisition of the legal requirements. The statute of limitations under general law in civil and commercial matters is five (5) years from the end of the contract. In the absence of a contractual relationship with ADEME, the data are retained for three (3) years from the last incoming contact. |
Management of cookies | The duration of data retention may not exceed thirteen (13) months. |
7. Who may access the Data Subjects’ Personal Data?
Recipients of the Data Subjects’ Personal Data
The data collected on ADEME’s Site and Products or Services and by any other means may be communicated to ADEME’s authorised staff, its partners or its service providers, in connection with the fulfilment of all or part of the service provisions. ADEME points out that, in this regard, its service providers are contractually bound to set up strict measures for the confidentiality and protection of such data. Furthermore, the ADEME may be obliged to provide personal information to authorised French or foreign public authorities.
Transfers of data outside of the European Union
Some of the recipients mentioned above may be based outside of the European Union and may have access to all or part of the personal information collected by ADEME because of a specific legal authorisation.
In this regard, ADEME undertakes to guarantee the protection of the Data Subjects’ Personal Data in accordance with the strictest rules particularly through the signing, on a case by case basis, of contractual clauses based on the European Commission’s template, or any other mechanism in line with the GDPR, if the Data Subjects’ Personal Data is processed by a service provider outside of the European Economic Area and whose country is not considered by the European Commission as ensuring an appropriate level of protection.
In any case, ADEME undertakes to advise the Data Subjects in advance in the event of the transfer of data outside of the European Union.
8. How are the rights accorded to Data Subjects exercised?
In accordance with the GDPR, the Data Subjects may, at any time, exercise their rights to access, rectify and delete the data concerning them and also their rights to limit and object to the Processing and to the portability of their Personal Data.
In addition, when the Processing of Personal Data implemented by ADEME is based on the consent of the Data Subjects, the Data Subjects can withdraw it at any time. ADEME shall then cease to process the Data Subjects’ Personal Data without compromising the previous operations for which the Data Subjects had given their consent.
Furthermore, the Data Subjects may legally have the right to set post mortem instructions relating to the retention, the erasure and the communication of their Personal Data, and this from a trusted third party, certified and responsible for enforcing their will, in accordance with the requirements of the applicable legal framework.
Also, any Data Subject who is a minor when the Personal Data is collected can obtain the erasure thereof as quickly as possible.
Data Subjects may request to exercise their right to object to the Processing of Personal Data concerning them for reasons relating to their particular situation when the Processing is based on the legitimate interest of ADEME. This right of opposition also applies to profiling. In case of exercise of such a right of opposition, ADEME will cease Processing except when there are legitimate and imperative reasons for the Processing that prevail over the interests, rights and freedoms of the Data Subjects or for the establishment, exercise or defense of a right in court. The Data Subjects may also object to any Processing related to canvassing without it being necessary to invoke reasons relating to their particular situation.
As part of the right of access, ADEME may request from the Data Subjects to pay a reasonable fee based on administrative costs for any additional copy of the data to that which will be communicated.
These rights shall be exercised by post to the following address:
- ADEME
- Délégué à la Protection des Données/Data Protection Officer
- 20, avenue du Grésillé — BP 90406 – 49004 Angers Cedex 01
Or by Email at the following address: rgpd@ademe.fr
In this regard, Data Subjects are kindly asked to attach to the requests the information needed to identify them (surname, first name, email), together with any other information needed to confirm their identity.
For some specific Services, these rights may be exercised directly online (management of your user account, management of your subscriptions to newsletters, to the news, etc.).
9. IT security / making transactions secure
ADEME uses all relevant technical and organisational measures, in the light of the nature, the scope and the context of the Personal Data that you pass on to us and of the risks presented by the processing thereof, to preserve the security of your Personal Data and, in particular, to prevent any destruction, loss, alteration, disclosure, intrusion or unauthorised access to such data, accidentally or illegally.
The security and the confidentiality of the Personal Data rely on the good practices of everyone. This is why the Data Subjects are asked not to pass on their passwords to third parties, to log out systematically of their profile and their corporate account (particularly in the event of linked accounts) and to close their browser window at the end of their work session, particularly if the Internet is accessed from a computer workstation shared with other people.
10. Personal Data concerning minors
ADEME does not collect or process Personal Data relating to children less than 16 years old without the prior agreement of the child’s parents or guardians.
If Personal Data concerning children is collected via the ADEME’s Site and/or the Services or Products, the parents or guardians can object to this by contacting ADEME at the address indicated above.
Also, as mentioned above, children who are minors when the Personal Data is collected can obtain the erasure thereof as quickly as possible.
11.Links to access other sites
On various pages of ADEME’s Site it is possible to click to access websites of other companies. ADEME recommends that you read the policy of such sites relating to the processing and the protection of Personal Data, because the conditions on such sites can differ from those applicable on the ADEME’s Site. and the latter shall not under any circumstance be liable for the processing of Personal Data by such other websites.
12. Amendments
ADEME reserves the right to adapt this Policy.
If ADEME amends this Policy, it shall publish the new version on the relevant media and update the “last update” date that appears at the top of this Policy.
ADEME encourages you to check, on a regular basis, the relevant media where the Policy is published.