Last updated on June 19, 2024 – Download PDF version.
1. Personal data
The services offered by La Suite Biarritz involve the processing of personal data.
This policy informs you of the characteristics of this processing and of your rights with regard to your personal data.
This privacy policy has been drafted in accordance with Act no. 78-17 of 6 January 1978 (known as the “Data Protection Act” or “LIL”) and the General Regulation on the Protection of Personal Data (“RGDP”) no. 2016/679.
2. Who is this policy aimed at?
This policy applies to all persons who book accommodation and complementary services with La Suite Biarritz.
3. Who is the data controller?
The data controller is La Suite, a SAS with capital of €100,000, registered in the Biarritz Trade and Companies Register under no. 852142603, with its registered office at 11 avenue Edouard VII 64200 Biarritz.
4. Purposes (what the data collected is used for)
The processing carried out relates to the services offered by La Suite Biarritz.
| N° | PURPOSE (What the Intermediary uses the data for) | LEGAL BASIS (What authorises us to process data) |
| 1 | Technical management of the La Suite website (hosting, maintenance, administration) | Legitimate interest |
| 2 | Managing requests, bookings, cancellations and payments | Execution of pre-contractual measures – execution of the reservation contract |
| 3 | Stay management (check-in, access to rooms, additional services requested, behavioural problems, damage, satisfaction questionnaire) | Execution of the reservation contract |
| 4 | Managing customer loyalty campaigns | Performance of the reservation contract and legitimate interest |
| 5 | Managing sales prospecting campaigns | Consent |
| 6 | sending the newsletter to people who register spontaneously on the site | Legitimate interest |
| 7 | Sharing data with other Group companies for prospecting purposes | Consent |
5. Data processed
| N° | PURPOSE (What the Intermediary uses the data for) | Personal data processed |
| 1 | Technical management of the La Suite website: hosting, maintenance and administration | Site data and connection data (IP addresses, logs, terminals, etc.) |
| 2 | Managing requests, bookings, cancellations and payments | Customer and guest identity details (surname, first name, telephone number, e-mail address, address, details given on identity document, nationality, age) – for minors, only the first name is collected – Bank details – Details of services booked: dates of stay, number of people, category of accommodation, additional services booked, comments/special requests, etc. |
| 3 | Managing your stay (check-in, access to rooms, additional services requested, complaints, behavioural problems, damage, satisfaction questionnaire) | Customer and guest identity details (surname, first name, telephone number, e-mail address, details given on identity document, nationality, age) – for minors, only the first name is collected – Bank details: credit card imprint – Details of services booked: dates of stay, number of people, category of accommodation, additional services booked, comments/special requests – Health details: food allergies and feathers – Details of complaints, behavioural problems, damage, satisfaction comments |
| 4 | Managing customer loyalty campaigns | surname, first name, e-mail address, telephone number, date of birth, nationality, town of residence, date of stay, number of stays |
| 5 | Managing sales prospecting campaigns | surname, first name, e-mail address, telephone number, date of birth, nationality, town of residence |
| 6 | sending the newsletter to people who register spontaneously on the site | |
| 7 | Sharing data with other Group companies for prospecting purposes | surname, first name, e-mail address, telephone number, date of birth, nationality, town of residence, date of stay, number of stays |
6. Data retention period
Data that is processed is kept for no longer than is necessary for the purposes for which it is recorded (principle of minimisation of processing).
| N° | PURPOSE | DATA RETENTION PERIOD |
| 1 | Technical management of the La Suite website: hosting, maintenance and administration | Connection data is kept for a maximum of a few months. Backup 6 months Cookies must have a maximum lifetime of 13 months. At the end of this period, consent is requested again. The data collected is kept for a maximum of 25 months. |
| 2 | Managing requests, bookings, cancellations and payments | Data is kept for a period of 10 years from the date of collection (5 years + 5 years for intermediate archiving). Bank details are kept until the end of the stay and then for a period of XX days. |
| 3 | Management of the stay (access to rooms, additional services requested, behavioural problems, damage, satisfaction questionnaire) | Data is kept for a period of 10 years from the date of collection (5 years + 5 years for intermediate archiving). Bank details are kept until the end of the stay and then for a period of XX days. |
| 4 | Managing customer loyalty campaigns | Loyalty is possible for 3 years from the end of the last stay or the last contact from the person (e.g. a click on a newsletter). Once this period has elapsed, the establishment is obliged to delete the personal data, unless it obtains consent to start a new 3-year period. |
| 5 | Managing sales prospecting campaigns | Canvassing is possible for 3 years from the date of consent or the last contact from the individual (e.g. a click on a newsletter). Once this period has elapsed, the establishment is obliged to delete the personal data, unless it obtains consent to start a new 3-year period. |
| 6 | sending the newsletter to people who register spontaneously on the site | The data is kept for a period of 3 years from the date of collection or the last contact from the person(for example, a click on a hypertext link in an e-mail). |
| 7 | Sharing data with other Group companies for prospecting purposes | Canvassing by other companies in the group is possible for 3 years from the date of consent or the last contact from the individual (e.g. a click on a newsletter). After this period, companies are obliged to delete personal data, unless they obtain consent to start a new 3-year period. |
7. Compulsory or optional nature of data collection
The data collected is mandatory in order to achieve the purposes of the processing.
8. Data sources
Data is sent to the data controller directly by the data subject, or indirectly when travellers book through third-party platforms such as Booking or Expedia (surname, first name, nationality, booking information).
9. Data recipients
La Suite Biarritz, in its capacity as data controller, undertakes not to pass on the personal data collected except where this is necessary to fulfil the purposes previously defined.
| N° | Category of recipients | Recipients |
| 1 | Subcontractors | Hosting, website maintenance: OVH, WP Channel Mews Duve booking software: customer experience platform (customer email notification) Google Workspace (Gmail) |
| 2 | Co-manager of intra-group processing | Processing relating to the website and communication/marketing is carried out jointly by the parent company, Les Galeriens, which is jointly responsible for the processing. |
| 3 | Sharing data with other Group companies for prospecting purposes | Data may only be shared with other Group companies for canvassing purposes with the express prior consent of the person concerned. |
| 4 | Other data controllers | When the traveller books the rental through third-party platforms such as Booking or Expedia, these platforms act as data controllers with regard to the traveller, in accordance with their own privacy policies: Booking: https: //www.booking.com/content/privacy.fr.html?aid=397594&label=gog235jc-1DCAEoggI46AdIDVgDaE2IAQGYAQ24AQfIAQ_YAQPoAQH4AQKIAgGoAgO4AuTN3LIGwAIB0gIkYWI0ZGUxYzAtMzVlYi00MmE4LWI2YTAtNWJmNjEwZTU0NTlm2AIE4AIB&sid=22f514253dcb5b685d33dd7ee36570a8 Expedia: https: //www.expedia.fr/lp/b/privacy Gritchen Affinity for optional cancellation insurance: https: //www.secure-bookings.com/Terms/Insurance/Safebooking-fr.pdf?_gl=1*imj299*_gcl_au*Mzc5OTc2MDM0LjE3MTU2OTQxNjc. |
| 5 | Third-party recipients for plotters jointly responsible for processing | To find out more about third-party cookies and how the publishers of these third-party solutions process your personal data in their capacity as data controllers, please read their cookie policy: XXX[EG1]. |
10. What safety measures have been put in place?
The data controller shall implement appropriate technical and organisational measures to guarantee a level of security appropriate to the risk.
The controller shall take measures to ensure that any natural person acting under their authority or under that of the processor, who has access to personal data, does not process it unless obliged to do so.
11. The existence of data transfers to countries outside the European Union and associated guarantees
The data controller may transfer personal data outside the European Union via its subcontractors, in particular Mews, Duve and Google. These service providers may transfer data outside the EU.
Mews: https: //www.mews.com/en/terms-conditions/data-processing-transfer-policy-partners
Google: https: //policies.google.com/privacy?hl=fr
Duvet: https: //duve.com/privacy-policy/?utm_medium=cpc&utm_source=google&utm_campaign=gsn_brand_duve_fr&utm_term=duve
The data controller undertakes to ensure that these transfers are carried out :
-to countries offering an adequate level of protection as defined by the European Data Protection Authorities, or
-with appropriate safeguards pursuant to Article 46 of the RGDP, or
-in compliance with article 49 of the RGPD.
12. Automated decision-making
The processing does not involve fully automated decision-making.
13. Fate of personal data after death – Right of access, rectification, deletion and portability of data
The person concerned by a processing operation may define directives relating to the conservation, deletion and communication of their personal data after their death. These directives may be general or specific.
Data subjects also have the right to access, object to, rectify, delete and, under certain conditions, port their personal data. The data subject has the right to withdraw consent at any time if consent is the legal basis for the processing.
The request must state the full name, e-mail address or postal address of the person concerned, and must be signed and accompanied by valid proof of identity.
They may exercise these rights by contacting : Jean-Pierre Heguy – Chairman – bonjour@lasuitebiarritz.com
14. Claims
The data subject has the right to lodge a complaint with the supervisory authority (CNIL): https: //www.cnil.fr/fr/webform/adresser-une-plainte