PERSONAL

DATA PROTECTION POLICY

1.  Who are we?

A presentation of the company LABYRINTHE PARIS is available at the following address: https://www.labyrinthe-paris.com/la-maison/

 The website of the company LABYRINTHE PARIS is an e-commerce website. The objective of the company LABYRINTHE PARIS’s Privacy Policy is to:

·       Share with you the information pertaining to the personal data which is processed by our departments.

·       Inform you of your rights and how you can exercise them.

This Privacy Policy was drafted in compliance with the provisions of the General Data Protection Regulation (namely the “GDPR”) and French Act on information technology, data files and civil liberties (Act N°78-17 of 6 January 1978) as amended. It reflects our current practices and is likely to evolve based on regulations, case laws and doctrines of supervisory authorities.

2.  Who is in charge of processing your data?

The company LABYRINTHE PARIS, in charge of processing the personal data used on its website – collects information pertaining to you, in particular when creating your Customer Account or when completing your purchases.

In its quality of person determining the purpose and the means of said processing, the party responsible is LABYRINTHE PARIS:

·       Site internet : https://www.labyrinthe-paris.com/

Numéro de RCS : 838 318 582

Adresse : 231, rue Saint-Honoré 75001 Paris France

Adresse de courrier électronique : contact@labyrinthe-paris.com

3.  What type of personal data do we collect?

Personal data refers to information relating to an identified or identifiable natural person. This includes, for example, the name, address, and gender of an individual.

We may collect personal data directly from you (for example, when you purchase a product in a store) or indirectly (for example, from your electronic devices that interact with our websites, electronic forms, or mobile applications (the "Digital Platforms")).

We will notify you when your information is necessary to process your request, to respond to your requests, or to provide you with our products and services. If you do not provide this information, it may take delay or make it impossible to process your requests, respond to your questions, and provide products or services. We strive to ensure that the personal data we hold is accurate at all times. Therefore, we encourage you to update your data in case any changes. We may also request you to update your data from time to time.

We recommend that you only provide the requested or necessary data for your request, with the except of sensitive data relating to race, ethnic origin, political opinions, religious or philosophical beliefs, and data concerning health, sexual life, or sexual orientation.

Please remind that we do not collect, directly or indirectly, personal data from individuals under the age of sixteen (16), without prejudice to any local law setting a different minimum age. Therefore, we ask you not to provide us with personal data of individuals who do not meet this criterion.

We collect the personal data which is necessary to meet a specific purpose.
The data we collect can have as a legal basis:

·       Your prior consent, which can be withdrawn at any time.

·       The execution of our contractual relationship or of pre-contractual measures.

·       Compliance with a legal obligation to which we are subjected.

·       The legitimate interests pursued by the party responsible for the processing, in compliance with your interests and your rights.

The following table shows the information to be provided when data is collected from the concerned person (Article 12 of the GDPR).

4.  What type of processing is implemented?

5.  Who are the recipients?

In addition to the above-mentioned recipients and in order to meet the aforementioned purposes, we disclose your personal data solely to:

·       The entity and their employees of LABYRINTHE PARIS who need to know them in order to ensure their management in compliance with the aforementioned purposes, and who are required to respect their confidentiality.

·       The service providers and subcontractors who perform services on our behalf, including logistics and transport providers, payment service providers, banks, etc. These service providers and subcontractors are rigorously selected and act in accordance with our instructions, requiring them to respect the confidentiality of your personal data and prohibiting them from using it for any other purpose. We also require them to apply appropriate security measures to protect your personal data.

·       Financial or legal authorities, State, and public bodies upon request and to the extent permissible by the law.

·       Credit rating and collection agencies as part of a solvency valuation or a debt collection in the event of unpaid invoices.

·       Certain regulated professions such as lawyers, solicitors, auditors.

6.  What are the periods of retention?

6.1  General rules

LABYRINTHE PARIS retains personal data for a period not exceeding the period necessary for the purposes for which they are collected, in accordance with the provisions of the amended 6 Jan 1978 Data Protection Act and the GDPR.

Said data can subsequently be retained in the following case when their retention is required:

·       To exercise the right to freedom of expression and information,

·       To comply with a legal obligation,

·       To execute a mission of public interest or falling within the exercise of an official authority vested in the party responsible for the processing,

·       On the grounds of public interest in the field of public health,

·       For the purpose of archiving for public interest,

·       For the purpose of scientific or historical research or for statistical purposes,

·       For the establishment, exercise, or defense of rights in court.

· 

The criteria which determine the periods of retention are as follows:

·       Legal or regulatory provisions

·       Case laws and doctrines of supervisory authorities

·       Benchmarks

6.2  Specific rules

Bank cards are only saved following a specific request by the customer on the payment page (if the option is available). They are retained for future orders to improve your shopping experience on one of our sites. The cards on record for future purchases are retained in a secured space with our payment service provider. LABYRINTHE PARIS does not retain this information. You have the option to delete your card at any time on the payment page.

Cookies have a limited lifetime of thirteen months after they are first downloaded on the user’s terminal (as the result of the expression of consent),

as per the CNIL’s recommendations.

Sales Management: Your data is retained for the duration of the contractual relationship and in accordance with the limitation periods pertaining to the retention or the protection of the rights of the party responsible for the processing.

Managing accounting and tax operations: Accounting and tax data is retained for a period of 10 years.

Managing promotional operations: Data is retained until consent is withdrawn or for the 3 years as of the last contact. It can also be retained:

–     For    a   period    of   3    years    as    of   the    last    contact    the   persons    to    which   the    data    relates    have    had    with    our    company;

–  After execution of the contract, in temporary archives, in order to meet all accounting or tax obligations or to provide evidence in the event of a dispute and within the applicable limitation periods.

The data pertaining to the account created by the customer is intended to be retained until deletion of the account by the customer. However, the account may be considered as inactive following a 2-year period of inactivity and deleted.

Personal Rights Management: When someone exercises their right to oppose being the recipient of prospecting campaigns, in order to ensure its efficiency, the information which makes this choice possible is kept for a minimum duration of 3 years as from the moment said right is exercised.

Managing delinquencies: In the event of delinquencies, the data shall be deleted from the file listing people with delinquent payments at the latest 48h after the delinquent payment has been cleared. On an exceptional basis, and when necessary and proportionate circumstances so justify, the data may be retained to prevent recurrence. Should the matter not be settled, the information is likely to be retained in the file listing people with delinquent payments for a maximum duration of 3 years as of the occurrence of the delinquency. It can then be archived to meet all accounting or tax obligations or to provide evidence in the event of a dispute and within the applicable limitation periods.

Supporting documents sent to Customer Relations: The purpose of any processing pertaining to the request for supporting documents is to fight against corruption and delinquencies. The data is retained for 30 days as of the month following their receipt and 24 months as of the date of the transaction in the event of a dispute. Supporting documents containing copies of bank cards are immediately deleted.

Newsletters: You can unsubscribe from our newsletters at any time using the link provided for this purpose in the email or directly from your Customer Account.

7.  Who can access personal data?

The party responsible for the processing does not sell nor share your data to any third-party trading partner. Certain employees may have access to the data which is necessary for them to perform their duty.

Our various service providers can have access to the data in view of the execution of their contract, in compliance with the aforementioned purposes and with the law.

•  Carriers,

•  Banks, payment service providers and credit institutions,

•  IT service providers, hosting and telephony services,

•  Service providers in charge of the fight against fraud and the recovery of unpaid debts,

•  Financing providers

•  "Authorized third parties" (public authorities or court officers) are bodies that can access certain data contained in public and private files, on the basis of a text authorizing them to do so, for example the tax authorities, the administration of justice, the police and gendarmerie, and bailiffs.

The data may be disclosed within the framework of business operations (mergers, acquisitions, transfers, restructuring, etc.).

8.  Do we transfer data abroad?

Your data is not transferred to third countries and is hosted within the European Union.

Concerning the functions pertaining to the use of social media, your publications are likely to be accessible outside the European Union. We invite you to read the Data Management Policy of the social media platforms concerned.

9.  Security

The controller shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, the

degree of probability and severity of which varies, for the rights and freedoms of individuals When assessing the appropriate level of security, In particular, account shall be taken of the risks involved in the processing, in particular resulting from the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

10.  Personal rights / your rights

The Persons Concerned have the following rights that they can exercise under the conditions laid down by the GDPR:

·       The right to oppose and to withdraw their consent at any time. In situations where processing is based on consent, the latter can be withdrawn at any time, without prejudice to the lawfulness of the processing based on the consent granted prior to its withdrawal.
· The right to access the personal data concerning them
Article 15 of the GDPR
·The right to rectify the personal data concerning them if it is incorrect
Article 16 of the GDPR

·       The right to erase the personal data concerning them subject to the conditions required to exercise said right in application of the provisions of Article 17 of the GDPR.
·       The right to restrict the processing
Article 18 of the GDPR
·       The right to data portability
Article 20 of the GDPR
·       The right to oppose
Article 21 of the GDPR