Personal Data Protection Charter – Confidentiality Policy

(Last updated: October 2024)

Foreword

The purpose of this website is to share information between the different key players of the French agri-food industries (hereinafter referred to as “Users”) contributing to the development of international trade between France and foreign countries, and for which personal data are collected by Business France. “Users” refer to French exporters, foreign investors, influencers and partners.

Aware of the importance of ensuring the confidentiality of personal data, this document describes how Business France, as data controller, is fully committed to comply with the Personal Data Protection Regulation (Regulation (EU) No. 2016/679 of the European Parliament and of the Council of April 27, 2016). Business France has designated a Data Protection Officer whose contact details are as follows: https://dpo.businessfrance.fr/en

A- Framework for the use of data

Below, Business France presents its collective data, its purposes and its basis.

What categories of data do we collect?For what purpose do we collect these data?On what basis do we treat your data?
Name, first name, e-mail, phone (optional) function, company / organization, countryImplementation of a messaging system for the website contact pageConsent
emailSending of a newsletter from the website homepageLegitimate interest of Business France to inform Users and to promote French key players in agriculture, the agri-food industry and gastronomy

B – Storage time for data

We keep your personal data for the necessary period with respect to applicable legislation and regulations, or for a period defined with regard to our operational constraints, such as our accounting, an efficient management of the client relationship, as well as to enforce any legal rights or to respond to requests by our line ministries.

Data on customers who are billed are kept for five years in the active database and five years in the intermediate database from the end of the contractual phase.

Data on all other prospective users are kept for three years from when they are collected or from our last contact with you. 

C – Access to and transfer of data

C-1 Access to data

The personal data that Business France collects, and those that Business France obtains subsequently, are intended for Business France in its capacity as data controller, including its offices and representations abroad, some of which are located outside the European Union, and for the French public program members Team France Export (French administrative regions, French Chambers of Commerce and Industry and Bpifrance) and Team France Invest (Regional Development Agency, local authorities, ANCT and decentralized services) supporting the international development of the French economy.

Data are also shared with all of the other founding partners of the Taste France brand, that is the Ministry for Agriculture and Food, the inter-profession of the sector and the agriculture and food services of the French administrative regions.

Business France ensures that only authorized persons have access to this data. Business France service providers and French public program members supporting the international development of the French economy may be recipients of this data to perform the services for which they are entrusted. Some personal data may be sent to third parties or to legally authorized authorities in order to meet Business France’s legal, regulatory or contractual obligations.

Personal data may be subject to a convergence, a mutualization or a sharing between all Business France entities. Personal data may be communicated to these entities for the purposes referred to in A- Framework for the use of data. These operations are carried out on the basis of instruments that comply with applicable regulations and are capable of ensuring that users’ rights are protected and respected.

C-2 Transfer of data

Business France transfers personal data to its offices and partners in the European Union and outside the European Union.

Each of these transfers is governed by legal instruments that comply with the applicable legal framework:

  • Switzerland and Japan benefit from an adequacy decision, which means that they offer personal data of users a level of protection equivalent to the one which is applied on the European Union territory.
  • Transfers made to other countries (Cameroon, Canada, United States of America, Taiwan, Turkey, India, Australia, China, South Africa) are covered by the following appropriate safeguards: contractual clauses of the European Commission type.

D – User rights

A user (private individual) can exercise their rights justifying their identity here  https://dpo.businessfrance.fr/en  or by post to the following address:

Data Protection Officer,

Business France,

77 boulevard Saint-Jacques

75014 Paris  France

To do so, the claimant has to clearly indicate its surname and first name, and the address to which he wants the reply to be sent.

As a principle, the claimant can exercise freely all their rights. However, concerning the right of information, Business France will not have to answer it if the user already has the information requested.

Business France will inform them if it cannot answer the requests.

The failure to provide information or modification of data can have consequences in the process of certain demands for the execution of contractual relations.

The request concerning the exercise of the rights of the user will be stored for monitoring purposes.

Right to information:

The user acknowledges that the present Charter provides them with information about the purposes, legal framework, interests, recipients or categories of recipients with whom their personal data were shared, and the possibility of a data transfer to a third country.

In addition to this information, and with the aim of ensuring fair and transparent processing of data, they further acknowledge that they have received additional information concerning:

–             The period for which their personal data will be kept.

–             The existence of the rights which are granted to them and the terms and conditions to exercise them.

If Business France decides to process data for purposes other than those indicated, all information relating to those new purposes will be communicated to them.

Right to access to and rectification of data:

The user has the right to access and rectify their personal data with this link https://dpo.businessfrance.fr/en – or by writing to the Data Protection Officer at Business France  77 Boulevard Saint-Jacques, 75014 Paris, France.

In this respect, the user has the confirmation as to whether or not their personal data are being processed and where this is the case, access to their data and the following information:

–  The purposes of the processing.

–  The categories of personal data concerned.

–  The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries.

–  Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.

–  The existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data, or to object to such processing.

–  The right to lodge a complaint with a supervisory authority.

–  Where the personal data are not collected from the data subjects, any available information relative to their source.

–  The existence of automated decision-making, including profiling, and in this case meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The user can ask Business France to, as the case may be, rectify or complete their personal data that are inaccurate, incomplete, equivocal or expired.

Right to erasure and to data restriction – right to object to data processing:

The user can ask Business France to erase their personal data where one of the following grounds applies:

–             The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.

–             The user withdraws the consent they have previously provided.

–             The user object to the processing of their personal data and there is no legal reason for such processing.

–             The processing of personal data does not comply with the provisions of the applicable legislation and regulations.

Nevertheless, the exercise of this right will not be possible when the retention of the personal data is necessary for compliance with statutory or regulatory provisions and in particular for example for the establishment, exercise or defense of legal claims.

The user may request restriction of processing of their personal data in the cases provided for by law and regulation.

The user has the right to object to the processing of their personal data when the processing is based on the legitimate interest of the controller, or on a necessary mission of public interest, or on the exercise of official authority.

Other rights:

The user has the right to portability of their personal data. The data on which this right can be exercised are:

–    Only their personal data, which excludes anonymized personal data or data that does not concern them.

–    Declarative personal data and personal operational data.

–    Personal data which do not adversely affect the rights and freedoms of others, such as those protected by trade secrets.

This right is limited to processing based on consent or contract, as well as to personal data that the user has personally generated. This right does not include derived or inferred data, which are personal data created by Business France.

When the data processing carried out is based on the user’s consent, they may withdraw it at any time. Business France will then stop processing the personal data, but this will have no impact on the previous transactions.

The user has the right to lodge a complaint with the French Data Protection Authority (CNIL) on French territory without prejudice to any administrative or judicial remedy.

The user can give instructions in relation to the storage, erasure and communication of their personal data after their death to a certified trusted third party in charge of enforcing the wishes of the deceased in compliance with the applicable legal framework.

The user’s personal data are communicated to Business France as part of the services performed and purchasing procedures set out in the framework of Business France’s public service mission, defined by Decree no. 2014-1571 of December 22, 2014 related to the agency Business France. In this context, if the user refuses to provide Business France with their personal data, which would be essential for the performance of the services, this refusal will result in an impossibility to perform the services.

E – Data hosting

Business France has taken the physical, technical and organizational measures necessary to ensure the security, integrity, availability and confidentiality of your personal data, in particular to protect them against destruction, loss, theft, accidental destruction, alteration or non-authorized access. The data collected and used by Business France for a third party are hosted in France (NB: due to data replication or load balancing reasons, personal encrypted data may be temporarily replicated in another country within the European Union).

F – Cookies

When you navigate on our website, cookies may be recorded or read on your computer, mobile phone or tablet, subject to your choices.

F-1 – Definition of a cookie

A cookie is a small text file left on your computer, mobile phone or tablet, during a site visit. In your computer, cookies are managed by your internet navigator.

F-2 –The obligation to provide information when depositing cookies

Article 82 of the Data Protection Act modified by Order no. 2018-1125 of December 1, 2018, henceforth requires site administrators and providers of solutions to inform internet users and to collect their consent before the insertion of certain types of cookies or other tracers, whatever terminal is used (computers, smartphones, digital tablets and video games consoles, etc.). Some cookies, judged to be necessary to provide a service expressly requested by the user, do not require prior consent, whereas others are bound by this obligation.

List of different cookies left by our websites are available in the preference management center of our consent management tool: to access it, simply click on the icon at the bottom left of your screen:

F-3 – Accepting or refusing cookies

You can choose at any moment to de-activate these cookies via the preference management center below and/or via the parameters of your navigator by clicking on the icon at the bottom left of your screen: 

Your navigator can also be set up to signal to you that cookies are stored on your computer and to ask you to accept them or not.

You can also accept or refuse cookies on a case-by-case basis or alternatively systematically refuse them once and for all. To manage cookies and your choices, the configuration of each navigator is different. It is described in the help menu of your navigator, which will enable you to know in which way your wishes concerning cookies can be modified.

If you do not want our site to record cookies coming from social networks in your navigator, you can de-activate these cookies by clicking “Edit cookies” above and/or on the following de-activation links, which will record a cookie in your navigator with the sole objective of neutralizing the use of other cookies from the same issuer. De-activating these cookies will therefore prevent all interaction with the social network(s) concerned:

NB: The inclusion of your different wishes is based on a cookie or several set cookies. If you delete all the cookies concerning our site recorded on your terminal, we will no longer know what consent or refusal you have provided. It will therefore come down to you re-initializing your consent and you will have to refuse the cookie(s) that you do not want to keep. Similarly, if you use another internet navigator, you will have to refuse these cookies, as your choices, just like the cookies to which they are related, depend on your navigator and your terminal (computer, tablet, smartphone, etc.) that you use to consult our site.

F-4 – Our audience measurement cookies Piano Analytics

These cookies enable us to measure the audience on our sites (number of visits, number of pages viewed, the activity of visitors on the site and how often they return).

Our cookies are exempt from the need to obtain consent as stated in the CNIL ruling n°2020-091, insofar as they are strictly necessary for the operation of the site.

To disable Piano Analytics tracking completely, by clicking here {lien pour désactiver le tracking}.

Please note that if you opt-out, we will no longer be able to measure and improve our sites in an optimal way.

In addition, we carry out more extensive audience measurement once the Internet user has consented to this additional purpose

For more information, please see the section “Data collected automatically via our audience measurement solution”.

Data collected automatically via our audience measurement solution

To measure audience on digital properties, we collect different types of information.

  • ID-type information: cookie ID, mobile ID, IP address. After being collected, this data is used for real-time processing in order to generate a visitor ID (hashing is applied on source data) and to calculate geolocation information (which is never more granular than the city- or region-level, depending on the country). The raw data collected is never shown in our interfaces.
  • Digital analytics information: data related to Internet users’ navigation:
    • the type of browser used
    • the number of page views
    • the exact navigational path a visitor takes on the site
    • the amount of time spent on a page, or the entire site
    • shopping cart activity (items placed in cart, abandons, etc.)
    • other types of navigational data

Within the framework of the definitions given by Article 4 of the GDPR, we consider that all the data we collect is considered as “personal data” and as such we apply the same attention and the same level of protection to it.