General personal data protection policy
In the course of your relationship with our Company, you will be requested to provide us with certain personal data.
In connection with its business, and in accordance with the laws in force in France (the Data Protection Act, Act No. 78-017 of 6 January 1978, as amended) and in Europe (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR)), our Company undertakes to protect and ensure the confidentiality and security of the personal data of the persons who receive the services our Company offers, as well as to respect their privacy.
Within the meaning of the European regulation, personal data (hereinafter “Personal Data”) means any information that may relate to an identified or identifiable natural person.
The GDPR requires us, as controller, to meet certain security requirements, with which we comply in order to ensure that your Personal Data is protected.
The present policy is intended to provide you with the information necessary to enable you to understand the various processing operations we carry out in order to perform our duties and provide you with the services that best meet your needs.
This policy applies to any natural person who has ties to our Company, whether as a data owner, customer, prospective customer, applicant, agent, guarantor or legal representative.
Identity and contact details of the controller
This site is published by COLISEE GROUP, a simplified limited company (SAS) with share capital of €131,683,350, with a share capital of 1.358.324.396,59 euros with its head office at 125 avenue des Champs Elysées, 75008 Paris, France, registered with the Paris Company Registery under the number 888 238 250 and European VAT number FR : 20888238250. If you have any suggestions, information or reactions with respect to this site, please contact the webmaster: email@example.com
To ensure the laws are properly applied, our Company has appointed a Data Protection Officer (DPO), who is the primary contact for Personal Data protection issues, both within the Company and for the purposes of its relations with the French Data Protection Agency (CNIL). The DPO’s contact details are provided below:
E-mail address : firstname.lastname@example.org
COLISEE France – DPO
7-9 Allées Haussmann
33070 Bordeaux Cedex
Principles governing data collection
Our Company ensures it collects and processes only data that is strictly necessary for the purpose for which it is processed, in accordance with the data minimisation principle.
Our Company does not collect Personal Data without having informed the data subjects of the methods of and purposes for processing such Personal Data, in accordance with the transparency principle.
We ensure the Personal Data collected is relevant to better knowing the data subjects. Therefore, to the extent possible, we ensure the data processed are accurate, complete and up to date, in accordance with the data accuracy and quality principle.
Finally, our Company may collect information submitted by data subjects automatically in connection with the use of our websites. This information may include unique device identifiers, internet protocol (“IP”) addresses, browser characteristics, language preferences, operating system details and referring URLs, as well as the length of time spent on the website and the pages viewed. We may use tools such as cookies (see Cookie Management), web beacons, embedded scripts, web server logs or other similar technologies to collect details of the services and devices used to access our websites.
Our Company uses third-party web analytics services, such as Google Analytics, to help us analyse how data subjects visit our websites. To learn more about how Google may use information collected on our sites, please visit: https://policies.google.com/privacy/partners.
Purpose of processing operations carried out
In connection with our activities providing accommodation for seniors who are dependent, autonomous or have reduced autonomy or our post-acute and rehabilitation care clinics, we process your Personal Data for the purposes described below:
Prior to establishing a relationship with our Company:
The Personal Data collected prior to establishing a contractual relationship enables our Company to take the following actions:
- In-house sales forces: Creating contact lists for marketing purposes;
- Managing recruitment: Managing online recruitment via our website;
- Managing enquiries via the contact form on our website;
- Pre-marketing: identifying candidates for the acquisition of real estate parcels in connection with investment operations.
After establishing a relationship with our Company:
Your Personal Data collected when a contractual relationship is established enables our Company to take the following actions:
- Identifying you in our computer system;
- Managing IT applications: Invoicing for services and providing receipts;
- Managing suppliers;
- Managing bank details forms and direct debits for the payment of services;
- Access management: managing access badges for premises;
- Managing litigation, claims, losses or collections: managing claims and recourse;
- Required data exchanges with various social security agencies (e.g. the Departmental Council for purposes of the Personalised Autonomy Benefit (APA) for persons over 60 with reduced autonomy or the Disability Compensation Benefit (PCH) for disabled adults, pension funds, the Primary Medical Insurance Fund, mutual insurers and insurance companies, etc.);
- Conducting internal investigations: Investigations requested by external organisations (Competition and Consumer Fraud Authority (DGCCRF), Court of Auditors, etc.);
- Managing real estate sales: execution of deeds of sale, managing buyers from the time of their reservation to the delivery of the property;
- Reviewing property leases;
- Satisfaction surveys of residents, patients or their families and employees.
Specific processing operations
Our Company carries out other specific processing of personal data, such as:
- Managing video surveillance: such systems are set up on certain premises and certain areas of our establishments to ensure the safety of persons and property. If such systems are in operation, specific information is posted on site.
Licéité des traitements mis en œuvre
Lawfulness of processing operations carried out
Each Personal Data processing operation our Company carries out is based on precise legal grounds:
1. At times, processing is necessary to comply with a LEGAL OR REGULATORY OBLIGATION imposed on our Company. In particular, this is the case for the following processing operations:
- Managing the medical files of patients and residents;
- Managing real estate sales (notarised deed of sale, reservation contract, preliminary purchase and sale agreement, monitoring buyers);
- Data exchanges with various social security agencies;
- Managing trade union representative elections;
- Managing our Company’s invoicing and accounting.
2. Processing may be necessary to PERFORM A CONTRACT for products and services that you have entered into or to carry out pre-contractual measures. In particular, this applies to the following processing operations:
- Administrative management, invoicing and monitoring of contracted services;
- Managing payroll and expense reports;
- Administrative and labour management of employees;
- Managing commercial leases and invoicing of lessors;
- Managing suppliers.
3. The processing is necessary in order to protect our LEGITIMATE INTERESTS, in compliance with the fundamental rights and freedoms of data subjects: In particular, this type of treatment may include:
- Managing litigation, collections, claims or losses;
- Managing HR reports and indicators;
- Generating statistics;
- Access rights / internet access management;
- Managing video surveillance;
- Staff activity planning.
4. Your CONSENT may be specifically obtained in order to authorise specific processing of your Personal Data. In such case, you will be asked on a case-by-case basis to authorise the processing in question at the time the data is collected or when such processing is carried out. This basis concerns, for example, the following processing operations:
- In-house or external communications that use your likeness;
- Sales prospecting;
- Satisfaction surveys of residents, patients or employees;
- Management & administration of the “MyColisée” social network or any other social network;
- Wi-Fi access management.
If you refuse to provide us with Personal Data that is required under the laws in force, our Company may be obliged to refuse your request and/or terminate the contract if this data is essential to perform the service.
Security of data collected
Our Company ensures the confidentiality of the Personal Data entrusted to it from the time they are collected and respects the data protection principles.
Our Company implements security measures appropriate to the sensitivity of the Personal Data to protect it from malicious intrusion, loss, alteration or disclosure to unauthorised third parties. We guarantee the security of information exchanged during transactions and when payments are made.
We make our employees aware of the need to protect the Personal Data made available to them in the course of their duties and ensure that they comply with the rules in force.
Our Company conducts audits to verify proper operational application of these rules and requires its service providers and/or subcontractors to comply with its security principles.
Recipients of data collected
Our Company has set up an access rights policy for its employees and members of staff under which only employees or members of staff who have a business reason to access your Personal Data in connection with their duties are entitled to access it. For purely technical reasons, our Company may outsource certain services for which it is responsible (e.g. website hosting). For all cases in which we outsource the processing of some of your Personal Data, our Company has established a contractual policy with each of its sub-processors requiring them to comply with all legal and technical provisions intended to protect your Personal Data in accordance with the GDPR and prohibiting them from copying your data, for their own benefit or for the benefit of any other party, or from selling them.
If our Company outsources the processing of all or some of your Personal Data, we will remain the sole controller vis-à-vis you.
We inform you that your Personal Data may be transmitted to the following recipients, for the following purposes and within the limits of their respective powers:
a) All bodies authorised by statute or regulation to obtain the disclosure of personal data (e.g. Departmental Commissions);
b) External persons and organisations that may contribute to providing ongoing social support services or to request that such services be provided (e.g. social counsellor, family welfare fund, municipal social action centre, association involved in providing social support services, etc.);
c) Service providers and subcontractors that host computer data;
d) Mutual insurers and insurance companies;
e) The courts to which a dispute has been referred, as well as legal personnel and judicial officers;
f) Third-party bodies authorised by law to obtain disclosure of personal data concerning pre-litigation matters, litigation or convictions;
g) Agencies that grant housing and similar benefits;
h) Communication to Google Analytics of the audience measurement data collected by website cookies for the purpose of continuously improving the services our Company provides.
Transfers of Personal Data outside the European Union
Your Personal Data is stored on servers located solely within the European Union and we guarantee that your Personal Data will not be transferred outside this territory, unless we inform you in advance and, if necessary, request your consent.
Our Company does not carry out automated processing of your Personal Data, nor does it transfer your Personal Data outside the European Union.
Personal data storage periods
Our Company complies with Article 5 of the GDPR, which lays down the principles relating to the processing of personal data, including the following principle: “Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (…)”.
If a person whose data has been collected has not yet established a contractual relationship with our Company (prospective customer, job applicant, etc.), their Personal Data may be kept for a maximum period of two years from their last contact with our staff, unless a shorter period is specified in the communication channel used.
If a person whose data is collected is a party to a contract with our Company, their Personal Data will be retained for the duration of such contract or for the time necessary to perform the service, complete legal proceedings, comply with statutory or regulatory obligations, and preserve evidence in contractual matters until the rights of the parties or relevant third parties have been extinguished.
Exercising your rights
In accordance with the GDPR and the French Data Protection Act, you have a right of access, rectification, erasure and portability of your data, as well as a right to object to or restrict the processing of your personal data.
For additional information on your rights and how to exercise them, please refer to our Personal Data Rights Charter (link).
The rights referred to in this paragraph can be exercised by contacting our DPO, in writing, and including proof of identity, at the contact details provided above (See Identity and contact details of the controller).
We will respond to any person who exercises any of the above rights within one (1) month from receipt of the request.
This period may be extended by two (2) months, depending on the complexity or number of requests, after having informed you of this extension of time within one (1) month from receipt of the request.
If the data subject makes the request electronically, the information will be provided electronically if possible, unless the data subject requests otherwise.
If the controller refuses to comply with the data subject’s request for information, the controller will provide the reasons for such refusal.
Furthermore, we inform you that you may register, free of charge, with the BLOCTEL telemarketing opt-out database, which can be accessed on the following website: www.bloctel.gouv.fr. Any consumer who registers on this database may not be solicited by any business by telephone, unless they have a pre-existing contractual relationship. It does not prevent our Company from contacting you by telephone to offer you our Company’s services, subject to your right to object.
In the event your rights are not respected, or to report any breach of the protection of your Personal Data, you can also file a complaint with the CNIL, 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07.