Introduction

This Privacy policy is intended to inform the users of this site and of the services provided by RATP DEVELOPPEMENT (herein after referred to as “you” or the “users”) of the terms and conditions for the collection and processing of personal data by RATP DEVELOPPEMENT.

Moreover, this Privacy policy also aims to inform users of their rights and the implementation of these rights in accordance with national law and the General Data Protection Regulation 2016/679 of April 27th, 2016 on the protection of natural persons with regard to the processing of personal data.

The data controller is RATP DEVELOPPEMENT, a limited company governed by a management board and a supervisory board with a share capital of 517 301 072,70 euros located at 54, Quai de la Rapée 75012 Paris (France) and registered in the Paris Trade and companies register under number 389 795 006 (herein after referred to as the “Company”).

The Company has appointed a Data Protection Officer (hereinafter referred to as “DPO”). You may contact her at the following email address: dpo@ratpdev.com or at the postal address:

RATP Développement
Délégué à la protection des données
54 Quai de la Rapée
75012, Paris, France

I. Persons concerned by this Privacy policy

The Company and its subsidiaries operate transportation networks and offer rail and road services. You are concerned by this Privacy policy when you subscribe to those services proposed by the Company.

II. Type of data collected

The data collected by the Company as part of the services it offers are as follows:
- contact data (last name, first name, email address, company);
- navigation data (searches, number of visits, date of the last visit…).

III. Purposes of processing

The Company processes data of the users of this site in the context of the performance of the services that the Company offers, for the legitimate purposes necessary for the proper functioning of the services as well as in accordance with legal obligations.

This first concerns the management of email alert subscriptions, customer relations management, the conducting of satisfaction surveys, the performance of the proposed service and the sending of information on the modification or evolution of services of the Company. The Company also processes some data for statistical and archival purposes.

IV. Data retention period

The time during which the Company retains the personal data of the users includes the duration of the contractual relationship as well as statutory limitation periods.

V. Recipients of personal data

1. The Company

The Company collects data necessary to ensure the proper functioning of its services. Every employee of the Company entitled to access personal data must sign a confidentiality agreement.

2. Processors

The Company may work with processors in order to perform some of its services. The processors process personal data only for the execution of the services offered by the Company.

The Company contractually requires its subcontractors to comply with security and confidentiality obligations, to implement technical and organizational measures so that data processing operations meet applicable legislation and ensure protection of the rights of the users.

3. Competent authorities

The Company may be required to transmit some personal data collected to the competent authorities, such as the public authorities, the National Commission for Information Technology and Liberties (referred to as the “CNIL”) or the General Directorate for Competition, Consumer Affairs and Fraud Prevention.

VI. Users’ rights over personal data

1. Right of access

Users have the right to access the personal data that concerns them. Users have the right to receive confirmation from the controller that the data about them is or is not being processed. If the users exercise this right, the Company will provide them with a copy of the characteristics of the processing operations carried out on their personal data (the purposes of the processing, the categories of data concerned, etc.).

This information will be provided either electronically or in paper format. Users may obtain a copy of their personal data, subject to compliance with others’ rights.

2. Right to rectification

Any user that finds the data concerning himself or herself are incorrect or incomplete have the right to ask for the correction or the completeness of this information.

3. Right to limit processing

Users have the right to obtain a limitation on the processing of their personal data, in particular when they contest the accuracy of the data, when the processing is unlawful and they wish to obtain the limitation and not the deletion of their data or when the controller no longer needs the data but they are still necessary for the users to establish, exercise or defend a legal claim.

4. Right to object to processing

Users may object to their personal data being processed if they have a legitimate reason and if the processing is based on their consent.
Once you use your right to object, your data will no longer be processed. Where the processing is based on a legal regulation, the right to object is not applicable.

The Company informs you that the modification or deletion will take place as soon as possible.

5. Right to be forgotten

Users may request the deletion of your data in the cases listed in Article 17 of the GDPR: when they are no longer necessary for the purposes for which they were processed or collected; when your data must be deleted pursuant to a legal obligation; when they have been unlawfully processed; or when you withdraw your consent for the purpose concerned.

However, such data may not be erased where processing is necessary, inter alia, for the exercise of the right to freedom of expression and information, for compliance with a legal obligation incumbent on the Company, or for the establishment, exercise or defence of legal rights.

6. Right to data portability

Users have a right to the portability of the data they have transmitted. You will be able to access it in a structured, commonly used and machine-readable format. You may also request that this data be transmitted to another controller when technically possible.
VII. Exercise of rights
You can exercise your rights by contacting the DPO named by the Company at the address mail dpo@ratpdev.com or at the postal address:

RATP Développement
Délégué à la protection des données
54 Quai de la Rapée
75012, Paris, France

For any request to exercise your rights, the Company may ask you to send an official identity document (ID card, passport, license driver) to verify that you are the data subject of the personal data you are requesting.

The answers to your requests will be communicated to you electronically or in paper form.
The Company undertakes to respond to any request as soon as possible and within a maximum period of one month from the receipt of your request. However, this period may be extended by two months where the request is complex or due to the number of requests received.

If the Company cannot respond to your request, you will be informed within one month of receipt of your request. The reasons for this refusal will be clearly indicated. You will then have the opportunity to file a complaint with the CNIL and file a judicial claim.

You are informed that in the case of requests that are manifestly unfounded or excessive, in particular because of their repetitive nature, the Company may refuse to respond to your requests or require payment of a fee to offset the administrative costs incurred in responding to your requests.

VIII. Personal data security

The Company implements all appropriate security measures to ensure the protection of the personal data collected, and in particular to prevent the destruction, loss, alteration, disclosure or unauthorized access of the data. To this end, security measures such as anonymization or data encryption will be implemented. Measures to ensure the ongoing confidentiality, integrity, availability and resiliency of treatment systems and services will also be taken. Any breach of security affecting your data and likely to create a high risk for your rights and freedoms will be notified to you as soon as possible.

IX. Storing of personal data

The servers used by the Company to store your personal data are located in France.
The Company transmits certain personal data to its processors providing services necessary for the performance of services. Some processors host personal data on servers located outside the European Union. The Company therefore ensures that they are able to guarantee the same level of data protection as that required by the GDPR within the European Union.

X. Modification of the Privacy policy

When this Privacy policy is modified, the update is published on the Company website or via an e-mail indicating the date of update. We invite the users to consult it regularly.