Privacy policy





Applicable as of October 20, 2021

References: PDC – PENV – 202101

Definitions :

Host”: means the natural or legal person with whom the User makes a Reservation.

IT Service Providers”: refers to the IT service providers with whom the Data Controller has contracted for the design, corrective and upgraded maintenance and hosting of the Site.

Reservation”: means the reservation made by the CLIENT for the Stay.

“Users”: Refers to the natural persons accessing and using the Site.

Article 1: General provisions and acceptance of the privacy policy

1.1 This privacy policy applies to the processing of personal data by the association OFFICE DE TOURISME SYNDICAT INITIATIVE, an association registered under the SIREN number 383 814 712, whose head office is located at 2 place du Clauzel – 43000 LE PUY EN VELAY, in the person of its legal representative, duly authorised for the purposes of this document (hereinafter referred to as the “Data Controller”), within the framework of the operation of the website accessible at (hereinafter referred to as the “Website”).

1.2 The purpose of this Privacy Policy is to define and inform Users of the manner in which the Data Controller collects, uses and protects Users’ personal data (hereinafter “the Data”) in the context of the operation of the Site, in accordance with the French Data Protection Act of 16 January 1978 as amended and the EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data (“RGPD”). The Law and the RGPD are together referred to as the “Applicable Regulations”.

1.3 The Data Controller reserves the right to modify this Privacy Policy, at its discretion or in order to comply with legislative, regulatory, jurisprudential or technological developments.

In this case, the date of the change will appear clearly at the top of the privacy policy.

It is therefore up to the User to consult this Privacy Policy on a regular basis in order to take note of any changes.

Article 2: Data collected

2.1 The User is informed that it is possible to visit the Site without communicating any of his/her Data to the Data Controller. In any case, the User is not obliged to communicate his/her Data to the Data Controller.

However, in case of refusal, the User may not be able to benefit from all the services offered by the Site.

Indeed, in the context of certain services, the Data Controller may be required to ask the User to provide certain Data as mentioned below, particularly with regard to Reservations.

2.2 The Data Controller collects various personal data from Users, namely:

2.2.1 Information required to make a Reservation

When using the Site, and in order to make a Reservation on the Site, the User must provide the following information:

  • civility

  • name and surname of the User ;

  • team represented

  • mailing address ;

  • email address.

  • telephone number

By providing this information, the User acknowledges and expressly agrees that his/her Data may be processed in accordance with the provisions of this privacy policy.

Article 3: Purposes of processing

The Data Processor may process the Data to process the Reservations and to inform the CLIENT of any information that may be of interest to him/her in relation to the Reservation.

The Data Controller may use the Data to process Reservations made by Users.

The Data Processor processes this Data for the purposes listed above in view of the contract concluded between the User and the Data Processor, in particular in order to communicate it to the Host.

Article 4: Recipients

For the proper provision and execution of the services, and for the proper navigation on the Site for the User, the Data Controller may be required to transmit the Data collected to its partners, and in particular to its IT Service Providers and to the Host, and to its partners, for the proper execution of the Reservation or the communication of information useful for their stay.

In this respect, the Data Controller undertakes to ensure that the said partners provide the necessary guarantees in terms of personal data protection in order to protect the security and confidentiality of the Data.

Article 5: Retention Period

The Data is kept by the Data Controller only for the time corresponding to the purposes specified above, i.e. between the date on which the User makes a Reservation and the date on which the Stay ends.

However, the Data will be kept for the time required to collect all the sums due for the Reservation.

At the end of these periods, they are then archived, anonymized or deleted.

Article 6: Users’ rights

In accordance with the applicable Regulations, the User has the following rights regarding his Data.

6.1 Right of access and communication of Data

Each User may request from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, and where they are, access to said personal data as well as to a certain amount of information (purposes of the processing, categories of data concerned, recipient of the data, existence of a transfer outside the EU, retention period, etc.).

The Data Controller must then reply to the User within one month from the date of the request (extension of two months is possible “in view of the complexity and number of requests” and if the User has been informed within the initial one-month period).

While the response is in principle free of charge, the data controller reserves the right to request payment of a reasonable fee if the request incurs administrative costs and the request is manifestly unfounded or excessive.

In this regard, it should be noted that the Data Controller is not required to respond if :

  • the request is manifestly abusive, in particular its repeated or systematic nature ;

  • the Data are not kept.

6.2 Right to rectify Data

Each User has the right to obtain from the Data Controller, as soon as possible, the rectification of personal data concerning him/her that are inaccurate.

Furthermore, in view of the purposes of the processing, each User has the right to have incomplete Data completed, including by providing an additional declaration.

6.3 Right to be forgotten and erased

Each User has the right to obtain from the Data Controller the deletion, as soon as possible, of personal data concerning him/her.

The right to erasure includes the right to dereference and deletion of collected Data.

This right is not, however, general and applies only on the following limited grounds

  • the Data are no longer necessary for the purposes for which they were collected or processed;

  • the User withdraws his/her consent on which the processing is based and there is no other legal basis for processing;

  • the User objects to the processing and there are no compelling and legitimate grounds for the processing;

  • the Data has been processed unlawfully ;

  • the Data must be deleted to comply with a legal obligation.

Furthermore, exceptions to the right to erasure are provided for insofar as the processing is necessary:

  • the exercise of the right to freedom of expression and information;

  • to comply with a legal obligation which requires the processing, or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;

  • for reasons of public interest in the field of public health,

  • for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes insofar as the right in question is likely to render the achievement of the purposes of such processing impossible or seriously jeopardise it;

  • the establishment, exercise or defence of legal claims.

Also, in the event that the User would like the Data Controller to proceed with the deletion of some of his/her Data, he/she must send a written request.

The data controller will then inform the data subject whether or not his request is admissible, giving reasons for his decision.

6.4 Right to limit the processing of Data

The right to limitation means that the User has the right to obtain from the Controller that he limits the processing, this limitation being defined as “the marking of personal data retained, with a view to limiting their future processing”.

However, this right can only be exercised in certain cases, namely:

  • the User disputes the accuracy of the Data;

  • when the processing is unlawful, the User objects to the deletion of the Data and instead requires a limitation of their use;

  • the Data Controller no longer needs the Data for the purposes of the processing, but the Data is still necessary for you to establish, exercise or defend your legal rights;

  • the User has objected to the processing.

In this case, only the storage of the data is allowed, without any further processing.

6.5 Right to object to the processing of Data

In accordance with the Applicable Regulations, the User has the right to object at any time, for reasons relating to his particular situation, to the processing of personal data concerning him.

It should be noted that this right is not absolute and that the User must put forward a legitimate reason to benefit from this right.

In the event that the User wishes to oppose the processing of all or part of his/her Data processed by the Data Controller, the latter shall consider whether there are legitimate and compelling reasons for the processing that prevail over the interests of the User, rights and freedoms, or for the establishment, exercise or defence of legal claims.

Therefore, it is possible that the User’s request for opposition will be refused, in accordance with the applicable legal rules.

In this case, the User may appeal either to the services of the Data Controller or to the CNIL.

6.6 The Data Controller informs the User that he/she may download from the website of the Commission Nationale Informatique et Libertés (CNIL) application forms relating to the rights set out above.

Article 7: Withdrawal of consent

If the Data is processed by the Data Controller on the basis of the User’s consent, the User may withdraw his/her consent at any time by indicating this to the Data Controller by e-mail or letter to the addresses indicated below.

Article 8: Security

The Data Controller implements and continuously updates administrative, technical and physical security measures to protect the Data against unauthorised access, loss, destruction or alteration.

If the User has reason to believe that his or her Data has been stolen, lost or misappropriated, it is up to him or her to report this immediately to the Data Controller.

Article 9: Contact

The User may exercise his/her rights or make any request to the Data Controller at the following address

  • email address :

  • Mailing address: Mr. Director – Office de Tourisme de l’Agglomération du Puy-en-Velay, 2 place du Clauzel, 43000 Le Puy-en-Velay