DATA PROTECTION POLICY1. Who are we?
A presentation of Groupe LDLC is available at the following address: https://www.groupe-ldlc.com/presentation-du-groupe/
Groupe LDLC comprises several companies and merchant sites.
The objective of Groupe LDLC’s Privacy Policy is to:
- Share with you the information pertaining to the personal data which is processed by our departments;
- Inform you of your rights and how you can exercise them.
This Policy was drafted in compliance with the provisions of the General Data Protection Regulation (“GDPR”) and the amended 1978 Data Protection Act. It is likely to evolve based on regulations, case laws and doctrines of supervisory authorities.
2. Who is in charge of processing your data?
GROUPE LDLC and its subsidiaries (hereinafter “GROUPE LDLC”) – in charge of processing the personal data used on their sites – collects information pertaining to you, in particular when creating your Customer Account or when completing your purchases.
In its quality of person determining the purpose and the means of said processing, the party responsible is GROUPE LDLC, as well as the Group’s various companies such as:
- L’ECOLE LDLC
- LDLC DISTRIBUTION
- DLP CONNECT
- LDLC EVENT
- NEMEIO
Contact details of GROUP LDLC and its subsidiaries’ head office:
Corporate address: 2 rue des Érables, 69760
Phone number: 04 72 52 37 77
Email address: dpo@groupe-ldlc.com
3. What type of data do we collect?
We collect the data which is necessary to meet a specific purpose.
The data we collect can have as a legal basis:
- Your consent, which can be withdrawn at any time;
- The execution of our contractual relationship or of pre-contractual measures;
- Compliance with a legal obligation to which we are subjected;
- The legitimate interests pursued by the party responsible for the processing, in compliance with your interests and your rights.
The following table shows the information to be provided when data is collected from the concerned person (Article 12 of the GDPR).
4. What type of processing is implemented?
| Type of processing | Data concerned by the processing | Purpose of the processing | Legal basis for the processing | Recipients |
| Commercial and marketing prospecting | Identity; Contact information; Exchanges pertaining to the implementation of projects; Statistics | The purpose of the processing is to enable prospecting operations, including:
|
Consent (Article 6.1.a of the GDPR)
Legitimate interest, namely informing and promoting products and similar services (Article 6.1.f of the GDPR) |
Internally: the departments in charge of communications and marketing.
Externally: our IT and marketing service providers. |
| Recording telephone calls | Telephone conversations | The purpose of the processing is to:
|
Legitimate interest : the realization of satisfaction survey ; customer studies ; personnel training (Article 6.1.a of the GDPR) (Article 6.1.a of the GDPR) | Internally: the department in charge of customer relations. |
| Contact forms | Identification data; Date and subject of the request; Follow-up actions taken up; Activity statistics |
The purpose of the processing is to fulfil your requests. It makes it possible:
|
Execution of a pre-contractual or contractual measure (Article 6.1.b of the GDPR)
Legitimate interest, namely meeting the expectations of the site’s users (Article 6.1.f of the GDPR) |
Internally: the departments in charge of processing your request.
Externally: the IT service provider. |
| Customer Management | Identification data | The purpose of the processing is to:
|
Consent (Article 6.1.a of the GDPR)
Execution of a contract (Article 6.1.b of the GDPR) Compliance with a legal obligation (Article 6.1.c of the GDPR) |
Internally: the Group’s entities in charge of processing your request, our service providers and sub-contractors.
Externally: partner vendors in the event of a purchase on the ldlc.com Marketplace. |
| Purchasing Management |
Identification data; Payment data; Transaction related data; |
The purpose of the processing is to:
|
Execution of a contract (Article 6.1.b of the GDPR)
Compliance with a legal obligation (Article 6.1.c of the GDPR) |
Internally: the department in charge of sales management.
Externally: partner vendors in the event of a purchase on the ldlc.com Marketplace. |
| Client Review Management | Identification data; Transaction related data; | The purpose of the processing is to:
|
Consent (Article 6.1.a of the GDPR)
Legitimate interest, namely the site’s operation (Article 6.1.f) |
Internally: the departments in charge of communications, marketing, our IT provider.
Externally: reviews are intended to be “individually” published but are subject to moderation. |
| Personal Rights Management | Identification data | The purpose of the processing is to ensure your rights are managed as covered by the GDPR, and the (amended) Data Protection Act | Compliance with a legal obligation (Article 6.1.c of the GDPR) | Internally, the DPO and the persons authorised to ensure the management of your rights.
Externally, certain regulated professions (lawyers). |
| Managing delinquencies and disputes | Identification data; Payment data; Transaction related data; |
The purpose of the processing is to:
|
Execution of a contract (Article 6.1.b of the GDPR) Compliance with a legal obligation (Article 6.1.c of the GDPR)Legitimate interest, namely the site’s survival (Article 6.1.f) |
Internally: the department in charge of accounting.
Externally: authorised providers, which can include regulated professions (lawyers, auditors) |
| Fraud Management | Identification data; Payment data; Transaction related data; Navigation and login data. |
The purpose of the processing is to:
|
Compliance with a legal obligation (Article 6.1.c of the GDPR)
The site’s legitimate interest (Article 6.1.f) |
Internally: our accounting department
Externally: financial or legal authorities, State and public bodies upon request and to the extent permissible and justified by the law |
| Managing the Marketplace | Identification data; Navigation and login data |
The purpose of the processing is to:
|
Compliance with a legal obligation (Article 6.1.c of the GDPR) The site’s legitimate interest (Article 6.1.f) |
Within the limit of the respective needs: Internally: the departments in charge of managing the Marketplace Externally: the service providers in charge of the Marketplace, financial or legal authorities, State and public bodies upon request and to the extent permissible and justified by the law |
| Managing promotional operations | Identification data | The purpose of the processing is to:
|
Consent (Article 6.1.a of the GDPR) | Internally: the department in charge of sales management. Externally: the service providers authorised to process the data that you provide us with, allowing us to offer our services |
| Managing promotional operations | Identification data | The purpose of the processing is to:
|
Consent (Article 6.1.a of the GDPR) | Internally: the department in charge of sales management.
Externally: the service providers authorised to process the data that you provide us with, allowing us to offer our services |
| Managing social media | Identification data visible by default on the platforms | The purpose of the processing is to: Manage the interactions between our Group and our subscribers (sales management) Manage the technical administration of social media Draw up statistics |
Consent (Article 6.1.a of the GDPR) Legitimate interest, namely the site’s operation (Article 6.1.f) |
Internally: the departments in charge of the communication. Externally: the visitors of social media platforms. |
| 360° Customer programme | Identification data and data pertaining to customer orders (name, surname, phone numbers, email address, postal address, order no., etc.). | Programme the aim of which is to provide customers with a true multichannel experience of the various LDLC.COM brands (branches, franchises, subsidiaries), for sales management | Legitimate interest, namely the multichannel processing of customer requests (order tracking, after sales, claims, etc.). Consent for the personalised customer space. | Stores under the LDLC.COM (branches, franchises, subsidiaries) and GROUPE LDLC brand |
| Q&A programme | Customer account data required to manage the programme. | Enable the Web users (clients or prospects) who are authenticated on the GROUPE LDLC site to get information complementary to the Product data sheet by:
|
Legitimate interest, namely obtaining informing on a product or service.
Consent for the personalised customer space and the publication of information (questions, answers or votes). Execution of a contract (compliance with the programme’s Terms of Use). |
GROUPE LDLC, its branches, franchises and subsidiaries. |
| Online navigation (cookies) | Navigation data; Duration of the visit; Technical information (IP address, browser used, etc.) | The purpose of the processing is to:
|
Consent (Article 6.1.a of the GDPR); Legitimate interest, namely the site’s operation for operational cookies (Article 6.1.f). |
Internally: the departments in charge of the communication. Externally: our IT service provider. |
| Newsletter | Identity; Subscription date; Statistics | Manage subscriptions; Manage electronic mailing lists; Draw statistics pertaining to the service | Consent (Article 6.1.a of the GDPR) | Internally: the departments in charge of the communication.
Externally: our IT and communications service providers. |
| Recruitment | Identification and professional life data which can be found on CVs and cover letters. | The purpose of the processing is to make recruitment operations possible: processing applications (CVs and cover letters) and managing interviews | Consent (Article 6.1.a of the GDPR) Execution of a pre-contractual measure (Article 6.1.b of the GDPR) |
Internally: the departments in charge of recruitment operations.
Externally: the potential recruitment firms and temporary employment agencies. |
5. Who are the recipients?
In addition to the above-mentioned recipients and in order to meet the aforementioned purposes, we disclose your personal data solely to:
- The entities of the Groupe LDLC who need them to ensure their management;
- The service providers and sub-contractors performing services on our behalf. They are carefully selected and act in accordance with our instructions;
- Partner vendors in the event of a purchase on the ldlc.com Marketplace;
- Stores under the LDLC brand for the 360° programme
- Financial or legal authorities, State and public bodies upon request and to the extent permissible by the law;
- Credit rating and collection agencies as part of a solvency valuation or a debt collection in the event of unpaid invoices.
- Certain regulated professions such as lawyers, solicitors, auditors.
6. What are the periods of retention?
GROUPE LDLC retains personal data for a period not exceeding the period necessary for the purposes for which they are collected, in accordance with the provisions of the amended 1978 Data Protection Act and the GDPR.
Said data can subsequently be retained in the following case when their retention is required:
- To exercise the right to freedom of expression and information,
- To comply with a legal obligation,
- To execute a mission of public interest or falling within the exercise of an official authority vested in the party responsible for the processing,
- On the grounds of public interest in the field of public health,
- For the purpose of archiving for public interest,
- For the purpose of scientific or historical research or for statistical purposes,
- For the establishment, exercise or defence of rights in court.
The criteria which determine the periods of retention are as follows:
- Legal or regulatory provisions
- Case laws and doctrines of supervisory authorities
- Benchmarks
Bank cards are only saved following a specific request by the customer on the payment page (if the option is available). They are retained for future orders so as to improve your shopping experience on one of our sites. The cards on record for future purchases are retained in a secured space with our payment service provider. GROUPE LDLC does not retain this information. You have the option to delete your card at any time on the payment page.
Cookies have a limited lifetime of thirteen months after they are first downloaded on the user’s terminal (as the result of the expression of consent), as per the CNIL’s recommendations. You can change your preferences at any time via the cookie manager link that can be found at the bottom of our site pages. For more information on cookies and how we commit to using them, please visit this page.
Sales Management: Your data is retained for the duration of the contractual relationship and in accordance with the limitation periods pertaining to the retention or the protection of the rights of the party responsible for the processing.
Managing accounting and tax operations: Accounting and tax data is retained for a period of 10 years.
Managing promotional operations: Data is retained until consent is withdrawn or for the 3 years as of the last contact. It can also be retained:
– For a period of 3 years as of the last contact the persons to which the data relates have had with our company;
– After execution of the contract, in temporary archives, in order to meet all accounting or tax obligations or to provide evidence in the event of a dispute and within the applicable limitation periods.
The data pertaining to the account created by the customer is intended to be retained until deletion of the account by the customer. However, the account may be considered as inactive following a 2-year period of inactivity and deleted.
Personal Rights Management: When someone exercises their right to oppose being the recipient of prospecting campaigns, in order to ensure its efficiency, the information which makes this choice possible is kept for a minimum duration of 3 years as from the moment said right is exercised.
Client Review Management: At the request of the author of a review, GROUPE LDLC offers the option to de-publish said review while keeping its traceability for future verification of the review. GROUPE LDLC can delete a review in the event of a change of ownership, the complete renovation of a facility and/or a substantial change in the features of a product or service. GROUPE LDLC shall keep a history of all the deleted reviews – along with all the documents attached to said reviews – from the site and the reason for their deletion for a maximum period of one rolling year as of the date of deletion of the review.
Managing delinquencies: In the event of delinquencies, the data shall be deleted from the file listing people with delinquent payments at the latest 48h after the delinquent payment has been cleared. On an exceptional basis, and when necessary and proportionate circumstances so justify, the data may be retained in order to prevent recurrence. Should the matter not be settled, the information is likely to be retained in the file listing people with delinquent payments for a maximum duration of 3 years as of the occurrence of the delinquency. It can then be archived in order to meet all accounting or tax obligations or to provide evidence in the event of a dispute and within the applicable limitation periods.
Recording telephone calls: Recordings are retained for a maximum period of 6 months.
Supporting documents sent to Customer Relations: The purpose of any processing pertaining to the request for supporting documents is to fight against corruption and delinquencies. The data is retained for 30 days as of the month following their receipt and 24 months as of the date of the transaction in the event of a dispute. Supporting documents containing copies of bank cards are immediately deleted.
Newsletters: You can unsubscribe from our newsletters at any time using the link provided for this purpose in the email or directly from your Customer Account.
7. Who can access personal data?
The party responsible for the processing does not sell nor share your data to any third-party trading partner. Certain employees may have access to the data which is necessary for them to perform their duty.
Our various service providers can have access to the data in view of the execution of their contract, in compliance with the aforementioned purposes and with the law.
The data may be disclosed within the framework of business operations (mergers, acquisitions, transfers, restructuring, etc.).
The “authorised third parties” (public authorities or court officers) are official bodies which can access some of the data contained in public and private records, as per the text granting them said permission.
Within the framework of the 360° customer project aiming at providing customers with a true multichannel experience, the data is shared between various LDLC.COM brands (branches, franchises, subsidiaries): customers derived from this transfer of data who have an email address will see a Web account created for them following their migration to the new checkout software programme. However, the account shall only be activated once the customer has updated his/her password on the site when logging in for the first time. The data concerned is taken from the invoices relating to the purchases carried out with stores under the LDLC brand, the list of which is available at the following address: : https://www.groupe-ldlc.com/boutiques/. The legal basis for this processing is the legitimate interest, namely the multichannel processing of customer requests (order tracking, after sales, claims, etc.) and the consent for the personalised customer space.
Concerning the LDLC Marketplace, the role our company plays is putting vendors in contact with buyers. The buyers are informed that their data and the personal data collected when placing an order via the Marketplace is processed by Groupe LDLC and the service providers in charge of the Marketplace. Only the data strictly necessary to complete transactions shall be shared with the vendor and for the sole purpose of processing said transactions.
8. Do we transfer data abroad?
Your data is not transferred to third countries and is hosted within the European Union.
Concerning the functions pertaining to the use of social media, your publications are likely to be accessible outside the European Union. We invite you to read the Data Management Policy of the social media platforms concerned.
9. Security
We are committed to ensuring the safety of your personal data through strict procedures implemented within our company.
Concerning the data collected “online”, communications on the customer side are encrypted between the user’s device and our servers (HTTPS secure zone). GROUPE LDLC is committed to make every effort in order to protect your personal data. Within the company, only the GROUPE LDLC members of staff who – due to their functions have a legitimate interest in accessing personal data – can access said data. As part of technical operations, your data can also be hosted by our sub-contractors. They are carefully selected and act in accordance with our instructions.
10. Personal rights / your rights
The Persons Concerned have the following rights that they can exercise under the conditions laid down by the GDPR:
- The right to oppose and to withdraw their consent at any time. In situations where processing is based on consent, the latter can be withdrawn at any time, without prejudice to the lawfulness of the processing based on the consent granted prior to its withdrawal.
- The right to access the personal data concerning them
Article 15 of the GDPR
- The right to rectify the personal data concerning them if it is incorrect
Article 16 of the GDPR
- The right to erase the personal data concerning them subject to the conditions required to exercise said right in application of the provisions of Article 17 of the GDPR
- The right to restrict the processing
Article 18 of the GDPR
- The right to data portability
Article 20 of the GDPR
- The right to oppose
Article 21 of the GDPR
- The right to define instructions pertaining to the fate of your personal data (conservation, deletion or communication of the data) after your death.
Article 85 of the (amended) Data Protection Act
- The right to file a claim with a supervisory body (the CNIL in France).
Article 104.4 of the (amended) Data Protection Act
Check the cnil.fr Website for more information on your rights.
These rights can be exercised directly with the party responsible for the processing.
11. Exercising your rights
To exercise your rights or for any other question regarding the processing of your personal data, we invite you to contact Groupe LDLC and its subsidiaries using the following contact details:
- Corporate address: GROUPE LDLC – DPO – 2 rue des Érables, 69760
- Phone number: 04 72 52 37 77
- Email address: dpo@groupe-ldlc.com
12. Claim
Should you feel that, after having contacted us, your “Data Protection Act” rights have not been respected, you can file a claim with a supervisory body.
The French supervisory body is the Commission Nationale de l’Informatique et des Libertés (CNIL).
Last update: 19.02.2021