Personal Data Policy

1.    What is personal data?

Personal data is any information that can be used to identify a natural person.
A natural person can be identified:

  • Directly, for example: first and last name
  • Indirectly, for example: telephone number or number plate, identifier, postal or email address, but also voice or image
  • Using a single piece of data, for example: name
  • By cross-referencing a set of data, for example: a woman, born on a given date, living at a given address and working in a given profession

2.    Who is responsible for the personal data protection policy?

It is the company, embodied by its director, that creates a data processing operation for a specific purpose and adopts the appropriate means of protection (for example: the company that wishes to send you its newsletter will collect your email address to do so, and is responsible for the personal data protection policy). It is also known as the "data controller".

We may also be joint data controller. In this case, our decisions are taken by mutual agreement with a partner, usually another company, under a written contract.

We may also process personal data. In this case, we process data because we are carrying out a service on behalf of a data controller. The contract with our partner then describes the guarantees we must provide as a subprocessor: traceability obligation, data protection from the design stage and by default, data security, duty to assist and advise.

You will find detailed information about us on the legal notice page of our website.

Responsable de traitement

SOCIETE HOTELIERE FOCH
Joint-stock Company SAS  (société par actions simplifiée) with capital of 500,000 euros
25, place Napoléon, 85000 La Roche-sur-Yon – France
+33(0)2.30.32.38.26 - contact@squarelodge.fr
SIREN: 38430557900038
Intra-Community VAT Number : FR22844081943

Legal Representative : Madame Valérie Dubreuil, présidente
Director of publication : Madame Valérie Dubreuil, Présidente

Hosting provider : OVH - 2 rue kellermann - 59100 Roubaix - France
SOCIETE HOTELIERE FOCH is a subsidiary of Groupe Dubreuil

3.    What is the purpose of the personal data protection policy?

In the age of digital technology and the digital economy, we want our relationships to be based on trust and mutual interest. 

We publish our data protection policy to keep you informed about how we process the personal data entrusted to us. Processing personal data means consulting it, collecting it, storing it, cross-referencing it, using it and so on.
In addition to the objective we seek, our policy also tells you how long we keep your personal data, and what rights you can exercise.

Our policy is regularly updated. We therefore invite you to consult it from time to time on our website www.squarelodge.fr, on our mobile app if applicable, or at our offices.

If we publish a mobile app, we protect personal data in the same way, and the personal data protection policy for our website also applies to our mobile app.

4.    Who is the personal data protection policy intended for?

The personal data protection policy applies to all individuals:

  • Website visitor
  • Customer
  • Potential customer (also known as a prospect)
  • Employee (including trainee)
  • Candidate
  • Partner
  • Shareholders, corporate officers and executives

5.    What personal data do we process ?

At various times, we may collect information about you or those around you.
Here are a few examples, by category of data (examples marked with an asterisk * relate only to employees, candidates or shareholders, and only when the collection of the data is strictly necessary):

  • Civil status: Surname, first name, age, nationality, gender
  • Contact data, telephone, calendar: Email address, postal address, telephone number
  • Language: Mother tongue, other languages spoken
  • Online browsing and information systems data: IP address, connection date, cookies
  • Image and sound recording: Photograph, voice message
  • Hobbies, interests and habits: Preferences and interests
  • Family environment: Family status, household composition
  • Financial and accounting data: IBAN, invoice
  • Equipment identification: Model type, serial number, badge
  • Traffic and vehicles: Registration, geolocation
  • Employee data: Entry date*, salary*
  • Candidate data: Diploma*, training*
  • Identity documents: Passport number*, copy of identity card*
  • Highly personal data: Social security number
  • Conviction and offence data: B3 extract from the criminal record*
  • Sensitive data: Health and disability data

The collection of information on persons under the age of 16 is limited to their name, nationality and date of birth, which can only be provided by a person of legal age. If a child in your care sends us personal data, you can ask us to delete it in the ways described below (see "13. How to exercise your rights ").

In order to respond your requests or provide you with the appropriate service, we may need to hold information that indirectly enables us to identify sensitive data, such as your state of health. In this case, we will only collect this data with your prior consent. For example, you can let us know if you have any allergies.

6.    What do we do with your personal data?

6.1    We process your personal data in order to achieve a defined objective

Personal data is processed when it is consulted, collected, stored, used, cross-referenced, etc., in order to achieve a defined objective.

We are committed to minimising the data collected, i.e. processing only the personal data that is necessary. For example, to offer you a gift for your birthday, we do not necessarily need your year of birth: Even if certain computer tools collect it, for this purpose, we do not consult your year of birth.

In principle, data should only be processed for a single purpose. If a processing operation serves several purposes, we need to make this clear to you. A piece of data may then become useless for a first purpose but still be necessary for a second purpose. For example, we collect your email address to send you a quotation, but once the quotation has been accepted, we retain your email address to process your order.

6.2    We only process your personal data because we are authorised to do so

The General Data Protection Regulation (GDPR) organises and limits the purposes for which we may collect your data.

If you are our customer, our partner or our employee, we must collect your data in order to conclude and execute the contract between us, until the expiry of the warranties and time limits.

In some cases, we are required by law to retain personal data. For example, we need to be able to identify the origin of our income and the destination of our expenditure in order to meet our accounting and tax obligations.

In other cases, we need your consent to process your personal data. For example, to send you unsolicited commercial offers, or to keep a record of your application.

Finally, the GDPR allows us to simply assess our interest in processing your personal data, provided that this does not create an imbalance between your interests and ours. For example, we may compile sales statistics to get to know our customers better.

6.3    We keep your data for a limited period

Sometimes a few hours are enough to achieve the objective we are seeking. Sometimes the law requires us to keep your data for several years.

Your personal data will only be kept for as long as is necessary to achieve this purpose.

In general, the retention periods are:

  • 2 years after consideration of your unsolicited application or application for one of our job offers
  • 3 years after your last reaction to our commercial offers
  • 5 years after the end of the sale, rental or service contract that we entered into together
  • 10 years after the last monetary exchange between us
  • Up to 50 years after the end of the employment contract we entered into together

These are maximum periods, and in certain situations you may ask us to delete your data. For more details, see section "12. What are your rights?" below.

 

6.4    What do we do with your personal data?

 

What do we do with the data ?

(Processing)

What is our objective ?

(Purpose of the processing)

Why can we do it ?

(Legal basis)

Who does this processing concern ?

(Data subjects)

How long do we keep data ?

(Maximum retention period)

Drawing up a quotationPreparing the contractContractCustomers and potential customers3 years after the last contact by the data subject
Consulting and updating your customer accountImplementing the loyalty programmeContractCustomers5 years after the end of the contract
Satisfaction surveysEvaluating our customer relationsLegitimate InterestCustomers and potential customersDeletion at the end of processing
Claims managementProviding the ancillary services expected by our customersContractCustomers5 years after the end of the contract
After-sales serviceProviding the ancillary services expected by our customersContractCustomers5 years after the end of the contract
Product quality studiesEvaluating our offersLegitimate InterestCustomersDeletion at the end of processing
Product testsEvaluating our offersConsentCustomers and potential customersDeletion at the end of processing
Sales statisticsManaging our sales policyLegitimate InterestCustomers3 years after the last contact by the data subject
Electronic commercial prospecting for goods or services that have not already been purchased by private individualsDeveloping our customer baseConsentCustomers and potential customers3 years after the last contact by the data subject
Commercial prospecting by post or telephone calls to individualsDeveloping our customer baseLegitimate InterestCustomers and potential customers3 years after the last contact by the data subject
Commercial prospecting for professionalsDeveloping our customer baseLegitimate InterestCustomers and potential customers3 years after the last contact by the data subject
Electronic commercial prospecting for goods and services similar to those already purchasedBuilding customer loyaltyLegitimate InterestCustomers3 years after the last contact by the data subject
Bookkeeping, annual accounts and financial statementsKeeping accurate accountsLegal obligationCustomers, partners, employees, shareholders, officers and directors10 years after the end of the financial year
Preparation of various tax returnsMeeting tax obligationsLegal obligationShareholders and their tax households10 years after the end of the financial year
Billing and collection managementMonitoring and consolidating cash flowLegitimate InterestCustomers and partners10 years after the end of the financial year
Financial study of investment projectsProviding financial and banking supportLegitimate InterestShareholders and directorsDeletion at the end of processing
Financial, banking and insurance managementProviding financial and banking supportLegitimate InterestShareholders and directors10 years after the end of the financial year
Management controlProviding financial and banking supportLegitimate InterestShareholders, directors, employees, customers and partners10 years after the end of the financial year
Management of securities and company registersMaintaining the legal secretariatLegal obligationShareholders and corporate officers10 years after the end of the financial year
Monitoring governance bodies and formalitiesMaintaining the legal secretariatLegal obligationShareholders and corporate officers3 years after the end of the financial year
Negotiating, drawing up or drafting contracts, protocols and various agreementsEnsuring contracts are finalised and effectiveContractDirectors, customers and partners5 years after the end of the contract or up to 30 years after the contract was signed
Advertising and prospectingRecruitmentLegitimate InterestCandidates and employees2 years after the end of recruitment
Organising interviews with candidatesRecruitmentLegitimate InterestCandidates and employees2 years after submitting the application
Drafting employment contractsRecruitmentContractEmployees5 years after the end of the contract
Monitoring remuneration, staff regulations and group benefitsFulfilling the employer's social commitment obligationsLegitimate interestEmployees5 years after the end of the contract or up to 50 years after the end of the contract

Monitoring the number of employees and their individual and collective status

Fulfilling the employer's social commitment obligationsContractEmployees5 years after the end of the contract 

Drawing up a training plan

Fulfilling the employer's social commitment obligationsLegitimate interestEmployees3 years after the end of the financial year

Forward-looking management of jobs and skills

Aligning human resources with corporate strategy and market trendsLegitimate interestCandidates and Employees3 years after the end of the financial year

Implementation and monitoring of employee benefits

Fulfilling the employer's social commitment obligationsContractEmployees5 years after the end of the contract 

Organisation of elections and relations with social partners and the social and economic committee

Fulfilling the employer's social commitment obligationsLegal obligationEmployees5 years after the event

Management of any employee-related disputes, both individual and collective

Fulfilling the employer's social commitment obligationsContractEmployees5 years after the event

Redundancy or contractual termination procedures

Fulfilling the employer's social commitment obligationsContractEmployees5 years after the employee leaves
Drawing up and monitoring a redundancy planFulfilling the employer's social commitment obligationsLegal obligationEmployees5 years after the event

7.    Cookies and other trackers

A cookie is a small file containing a series of pieces of information that may be sent to your browser by the website to which you are connecting.

Your browser stores this file for a certain period of time, and sends it back to our server each time you reconnect to our website.  

When you first visit our website, a banner will inform you of the presence of cookies and allow you to indicate your preferences.

With the exception of technical cookies, which are strictly necessary for the operation of the website, our cookies are only placed if you accept them using our banner or according to the settings on your browser. We may place audience measurement and statistical cookies, cookies enabling us to offer you tailored advertising, and cookies linking your activity on our website to your activity on social networks.

You will find more detailed information on the Cookie policy page of our website.

8.    Who do we collect data from?

In most cases, we collect your data directly from you, when you fill in a form, send us a message, a request or documents concerning you, online, by telephone, by post or at our premises.

We may also collect your data from public or private databases, on the Internet and from our partners.

9.    Who can access your personal data?

We are careful to limit access to your personal data, and our employees' access is limited to what is strictly necessary for their work within our organisation.

We work with many partners. We may then share your data:

  • Either because our partners are our subprocessors and act solely at our request.
  • Or because our partners participate in our contract. For example: A partner who produces a good or service that we have sold to you, and who owes you guarantees of assistance and product safety, or who surveys you to improve its quality
  • Or because you were informed when your data was collected and you expressed your agreement or disagreement.

You can find a list of our partners here. We endeavour to update it regularly. We therefore invite you to consult it from time to time.

In addition to this list, and always provided that you have expressed your agreement or disagreement, we remind you that in order to provide you with relevant offers, we may share your data with our subsidiaries, a list of which can be found on the www.groupedubreuil.com website.

Finally, we are sometimes required by law to disclose your data to the judicial or financial authorities or other government bodies and independent supervisory authorities, in compliance with European and French law, as well as to certain regulated professions, such as lawyers, bailiffs, notaries or audit firms.

10.    Can your data be transferred outside the European Union?

We ensure that your personal data is processed and stored within the European Union and under European law.

As an exception, and if justified by the purpose of the partnership, we sometimes exchange with partners outside the European Union. In this case, personal data may be processed outside the European Union, provided that this is accompanied by guarantees that comply with the GDPR, in particular the signing of a contract that follows the model proposed by the European Commission and protects your data (also known as standard contractual clauses, or SCC), or storage in a country recognised by the CNIL for the guarantees it offers (GDPR adequacy decision). These guarantees are mentioned in the list of our partners above.

We may also transfer your personal data to the authorities of third countries in accordance with the regulations in force. In such cases, we ensure compliance with international law.

11.    How do we protect your personal data?

We are concerned about the security of the personal data entrusted to us. Confidentiality is very important to us, and we are aware that we must assure you that your data will not be distorted, damaged, destroyed or disclosed to persons or organisations that have no need to know.

We take physical, electronic and organisational protection measures to prevent any breach of your personal data, and these measures are regularly evaluated to check that our organisation is up to date with protection standards.

We implement appropriate internal procedures to raise awareness among our employees and ensure compliance with these measures within our organisation, and we monitor compliance by our partners.

We also recommend that you exercise caution. For example, do not share your logins and passwords, or the equipment on which they are pre-registered.

12.    What are your rights?

You have various rights over your personal data, within the limits and conditions authorised by the Law and the rights of third parties:

  • Right of access: You can ask us for a copy of the personal data concerning you that has been entrusted to us.
  • Right of rectification: If you consider that we hold inaccurate or incomplete data, you have the right to have it amended.
  • The right to withdraw your consent at any time for the processing of your data subject to your consent.
  • Right to object: If you consider that our processing is not legitimate because it creates an imbalance between our interests and yours, you may object to this processing.
  • Right to portability: You may ask us to pass on your data to a third party to carry out processing on our behalf, if this is technically possible.
  • The right to erasure, also known as the "right to be forgotten": You may request the deletion of all your personal data, if your request corresponds to one of the situations provided for by the Law.
  • Right to restrict processing: This is a temporary right enabling you to control how we use your personal data while we process another of your rights, listed above.

You also have the right to give instructions concerning the fate of your personal data after your death.

13.   How to exercise your rights?

There are several ways for you to exercise your rights:

  • A link or SMS number allowing you to object to or withdraw your consent, which is communicated to you during our canvassing, surveys and quality studies.
  • A dedicated page to exercise your rights.
  • An email address to exercise your rights.

You can also oppose telephone canvassing by contacting the BLOCTEL service.

You may, at any time, lodge a complaint with the competent supervisory authority in the country of the European Union in which you habitually reside, your place of work or the place where the alleged breach of the regulations occurred: In France, your complaint should be sent to the CNIL.

This personal data policy was updated on 10/07/2024.