This website is operated by the Group on behalf of HOTEL DE L ABBAYE ST GERMAIN, a "société par actions simplifiée" established in France under SIRET number 71206274400016 whose registered office is located at the following address: 10 rue Cassette, 75006 Paris, France.
The Group, as the data controller, determines the purposes and means of processing personal data about you. For more information, please contact us by email at firstname.lastname@example.org.
Depending on the nature of your interaction with us, we may collect, use, store and transfer the following types of personal data about you:
Identity data: first name, surname, date of birth, marital status and title.
Contact details: billing address, e-mail address, business address, home address and telephone numbers.
Financial data: encrypted bank account and payment card details.
Data on financial transactions carried out: details on payments issued and received by you and other details on the products and services you have purchased from us.
Technical data: the Internet Protocol (IP) address, your connection data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technologies on the devices you use to access this website.
Profile data: your social media channels, interests, preferences, comments and survey responses.
Usage data: information about how you use our website and services, including wifi.
Marketing and communication data: your preferences for receiving marketing communications from us and our third parties, as well as your communication preferences.
We also collect, use and share aggregate data, such as statistical or demographic data, for any purpose. Aggregate data may be derived from your personal data but is not considered personal data within the meaning of the law because it does not directly or indirectly reveal your identity. We own all right, title and interest in the aggregated data. However, if we combine or connect aggregated data with your personal data to identify you directly or indirectly, we treat the combined data as personal data that will be used in accordance with this privacy statement.
Except for specific information that you may provide to us as part of the services we provide to you (for example, in relation to your physical, health or dietary needs), we do not collect Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, health information and genetic and biometric data). Nor do we collect information on criminal convictions and offences.
When we need to collect personal data under the law or a contract we have with you and you do not provide such data upon request, we may not be able to perform the contract we have or are trying to conclude with you (for example, to complete your reservation). In this case, we may have to cancel a service you have with us, but we will notify you if this is the case at that time.
We use different methods to collect data about you, including:
Direct interactions : you can provide us with your identity, contact information and financial data by completing online forms or by contacting us by mail, telephone, e-mail or other means. This includes, but is not limited to, the personal data you provide when:
you make a reservation;
you are attending an event at one of our sites;
you receive a service from us;
you use our wifi service in one of our hotels;
you subscribe to our service or publications;
you ask for marketing offers to be sent to you;
you participate in a contest, promotion or survey;
you provide us with an opinion.
Third parties or publicly accessible sources: we may receive personal data about you from various third parties and public sources such as technical data from the following parties:
We also use video surveillance to prevent the use of our services and facilities for illegal purposes and to protect our employees and customers. In this context, personal data may be processed by the Group and its suppliers for these purposes.
The use of personal data under applicable data protection laws must be justified on one of the legal grounds provided for in the GDPR. We are required to indicate the purpose for each use of your personal data in this policy. These are the main reasons for our use of your information:
Consent: where you have consented to our use of your personal information (you provide express, informed and freely given consent for such use, and you may withdraw your consent by notifying us).
Legitimate interests: the interest of our company in the conduct and management of our business in order to enable us to offer you the best service and experience under the best conditions. We ensure that we consider and manage any potential impact on you (positive or negative) and your rights before processing your personal data for our legitimate interests. We do not use your personal data for activities for our benefit that may affect you (unless we have your consent or as required or permitted by law).
Contract: processing your data when necessary to perform a contract with you or taking steps at your request before entering into such a contract.
Legal obligation: processing your personal data when necessary to comply with a legal or regulatory obligation to which we are subject.
Legal claims: when your information is necessary for us to defend, sue or make a claim.
Below is a description of all the ways in which we plan to use your personal data, as well as the legal bases on which we rely to do so. We also identify our legitimate interests.
Purpose / Activity
Type of data
Lawful basis for processing
To process your reservation, including:
Management of payments, fees and charges
Recovery and refund of amounts due to us
Execution of a contract with you
Necessary for our legitimate interests (to collect the receivables due to us)
Manage our relationship with you that will include:
Ask you to leave a comment or answer a survey
Marketing and communications
Necessary to comply with a legal obligation
Necessary for our legitimate interests (keeping our files up to date and studying how clients use our services)
To allow you to participate in a draw, contest or survey.
Marketing and communications
Necessary for our legitimate interests (to study how customers use our services, develop them and develop our business)
To administer and protect our company and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and data hosting)
Necessary for our legitimate interests (for the conduct of our business, the performance of administrative and IT services, network security, fraud prevention and in the context of a corporate reorganisation or group restructuring)
Necessary to comply with a legal obligation (to prevent fraud)
To provide you with relevant website content and advertising and to measure or understand the effectiveness of the advertising we serve you.
Marketing and communications
Necessary for our legitimate interests (studying how customers use our services, developing them, developing our business and informing our marketing strategy)
To use data analysis to improve our website, services, marketing, customer relations and experiences
Necessary for our legitimate interests (defining the types of customers for our services, maintaining our website up to date and relevant, developing our business and informing our marketing strategy)
To make suggestions and recommendations to you on goods or services that may be of interest to you
Marketing and communications
Necessary for our legitimate interests (to develop our services and develop our activity)
Consent, when we send you marketing from third parties
We will only use your personal data for the purposes for which we have collected them, unless we reasonably believe that we should use them for another reason and that this reason is consistent with the original purpose. If you would like an explanation on how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for other purposes, we will inform you and explain the legal basis for doing so.
Please note that we may process your personal data without your knowledge or consent, in accordance with the above rules, when required or permitted by law.
We strive to provide you with choices about certain uses of personal data, particularly with respect to marketing communications and advertising. We have implemented the following personal data control mechanisms:
You will receive marketing communications from us, including newsletters and marketing e-mails relating to our services, if (i) you have requested information from us, (ii) used our services, or (iii) provided us with your contact information when you entered a contest or registered for a promotion and, in each case, if you have not chosen not to receive such marketing information.
We will obtain your express consent before sharing your personal data for marketing purposes with any company outside the Group.
You may ask us to stop sending you marketing messages at any time by following the exclusion links on any marketing message sent to you or by contacting us at any time.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or obtained in an unauthorized manner, modified or disclosed. In addition, we limit access to your personal data to employees, agents, companies and other third parties who have a business need to access it. They will only process your personal data on our instructions and are subject to a duty of confidentiality.
We have procedures in place to deal with any alleged breach of personal data protection and will notify you and any applicable regulatory body of any breach of personal data protection where required by law.
We may share your personal data with the parties mentioned below for the purposes indicated in the table above.
Internal third parties (as indicated in the glossary). Legal framework: legitimate interests (to operate the business and provide related services)
External third parties (as indicated in the glossary). Legal framework: legitimate interests (to operate the business and provide related services)
Third parties to whom we may choose to sell, transfer or merge all or part of our business or assets. We may also seek to acquire or merge with other companies. If there is a change in our company, the new owners may use your personal data in the same way as described in this privacy notice. Legal framework: legitimate interests (to operate the business and provide related services)
We ask all third parties to respect the security of your personal data and to process it in accordance with the law. We do not allow our third party service providers to use your personal data for their own purposes (unless permitted by law for compliance purposes) and we only allow them to process your personal data for specific purposes and in accordance with our instructions.
The Group operates only at the European level, but it may sometimes be necessary to transfer personal data to another recipient (such as third party partners or service providers) in a country outside the country where it was originally collected or outside your country of residence or nationality. For many of our business activities, we use cloud services. Therefore, for technical and organisational reasons, it may be necessary for your personal data to be transferred to servers based outside the European Economic Area (EEA).
When we transfer your personal data outside the EEA, we ensure that they are afforded a similar level of protection by ensuring that at least one of the following safeguards is implemented:
We will only transfer your personal data to countries that have been considered by the European Commission to provide an adequate level of protection for personal data. For more details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
When we use certain service providers, we may use specific contracts approved by the European Commission that guarantee the same protection for personal data as in Europe. For more details, see European Commission: Model contracts for the transfer of personal data to third countries.
When we use suppliers based in the United States, we may transfer data to them if they are part of the privacy protection system that requires us to offer similar protection to personal data shared between Europe and the United States. For more details, see European Commission: EU-US Privacy Shield.
With your consent or as legally permitted by applicable data protection laws.
Please contact us if you would like more information about the specific mechanism we use when transferring your personal data outside the EEA.
We will only retain your personal data for as long as necessary to fulfill the purposes for which it was collected, including to meet legal, accounting or reporting requirements.
In determining the appropriate retention period for personal data, we take into consideration the amount, nature and sensitivity of the personal data, the potential risk of harm resulting from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve these purposes by other means, as well as applicable legal requirements.
In some cases, you may ask us to delete your data: see "Deletion Request" below for more information.
In certain circumstances, we may make your personal data anonymous (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely.
In certain circumstances, you have rights under the laws on the protection of your personal data. Please refer to the "Your Legal Rights" section of the glossary below for more information on these rights:
Request access to your personal data.
Request the correction of your personal data.
Request the deletion of your personal data.
Oppose the processing of your personal data.
Request to limit the processing of your personal data.
Request for transfer of your personal data.
Right to withdraw your consent.
Right to file a complaint.
You can contact us at the following address email@example.com in order to exercise these rights. We will ask you for information to identify you.
Requests will be processed within one month. We are authorized to extend this period by an additional two months if the complexity of the situation so requires and we will inform you if the period is extended. If your request is clearly unfounded or excessive, we may either charge you a fee or refuse to process your request. For access requests, we may also charge you for additional copies. If we decide not to honour your request or not to respond to your request, we will explain the reasons in our response.
Any company in the Group providing intra-group services, including marketing, finance, IT, system administration, HR services and leadership reports.
Service providers acting as processors that provide IT, system administration, analysis, marketing, reservation and other business services.
Professional advisors, including lawyers, bankers, auditors and insurers who provide consulting, banking, legal, insurance and accounting services.
All authorities and public administrations that require the declaration of the company's activities and its possible transformation in certain circumstances.
You have the right to:
Request access to your personal data (commonly referred to as the "data subject's request for access"). This allows you to receive a copy of the personal data we hold about you and to verify that we are processing them legally.
Request the correction of your personal data. This allows you to have incomplete or inaccurate data about you corrected, although we need to verify the accuracy of the new data you provide us.
Request deletion of your personal data. This allows you to ask us to modify or delete personal data when there is no valid reason for us to continue processing them. You also have the right to ask us to delete your personal data when you have successfully exercised your right to object to the processing (see below), when we have processed your information unlawfully or when we are required to delete your personal data to comply with applicable legislation. Please note, however, that we are not always able to respond to your request for deletion for specific legal reasons, which will be notified to you, if applicable, at the time of your request.
Oppose the processing of your personal data when we rely on a legitimate interest (or those of a third party) and there is something in your particular situation that prompts you to oppose processing on this ground, as you consider that it affects your fundamental rights and freedoms. You also have the right to object to the processing of your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate reasons to process your personal information, which takes precedence over your rights and freedoms.
Request restriction of processing of your personal data. This allows you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the accuracy of the data; (b) if our use of the data is illegal but you do not want us to delete it; (c) if you need us to keep the data even if we no longer need it because you need it to establish, exercise or defend rights; or (d) if you have challenged our use of your data, but we must check whether we have compelling legitimate reasons to use it.
Request the transfer of your personal data to you or a third party. We will provide you or the third party you have chosen with your personal data in a structured, commonly used and machine-readable format. Please note that this right only applies to automated information that you initially authorized us to use or when we used it to perform a contract with you.
Withdraw your consent at any time when we need your consent to the processing of your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide you with certain services. We will notify you if this is the case when you withdraw your consent.
File a complaint. You have the right to file a complaint with the competent supervisory authority such as the Commission Nationale de l'Informatique et des Libertés in France (see https://www.cnil.fr). We encourage our customers to contact us first if they have any concerns or complaints.
Last updated on: January 2021