The owner and the provider creating and/or administrator of the site and the user of the site undertake to comply with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
The owner collects and processes the data (including contact details, identity etc.) that he receives from the user. The purpose of this collection is one or more specific purposes agreed with the user, the performance of a contract to which the user concerned is a party or the execution of pre-contractual measures taken at the request of the user, compliance with a legal obligation to which the controller is subject, or for the purposes of the legitimate interests pursued by the controller or by a third party. Examples: customer management, contract execution, order management, accounting, direct marketing.
The data collected, except for other consent of the user, will only be transmitted to subcontractors, recipients and /or third parties only within the framework of the purposes of the processing.
The user must provide accurate data and keep it up to date.
User data is kept for a maximum of only seven years, if applicable this period takes place from the end of the contract; unless the personal data must be kept beyond that on the basis of special legislation or in relation to an ongoing dispute.
The user of the site, by communicating his personal data or browsing the site consents to the collection, use and processing of his personal data.
The site owner collects the following information:
- Data relating to your identity such as your surname, first name, telephone number, e-mail address, ECB / VAT number
- Navigation data: this is data relating to the way you use the site including: IP address, browser used, browsing time, search history, operating system used, language and pages viewed;
- Data about your visits to the Site, including traffic data, log files and other communication data or resources that you use when accessing the Site;
- Data relating to orders if applicable: postal address, bank details or PayPal;
- Data relating to the use of social networks when you use their features.
The user accepts that his data will be transmitted and used to third parties for commercial, advertising or marketing purposes and agrees to receive, from the owner of the site or its partners, information by email or post.
Comply with the Data Protection Regulation,the user has the right to request from the controller, by sending him an email, access to personal data, rectification or erasure thereof, or a limitation of the processing relating to the data subject, or the right to object to the processing and the right to data portability;
The controller shall implement appropriate technical and organisational measures to ensure the protection of the personal data collected.
Why does Mamzelle Créations collect and use this personal data?
Mamzelle Créations stores server logs with the aim of being able to detect intrusion attempts and anomalies, in order to guarantee the security of the computer system.
The information that the user encodes via the contact form is only used to respond to the user's request.
Personal data will only be used for these purposes.
How Mamzelle Créations collects this personal data
Mamzelle Créations collects data on users via different sources of information:
- The user sends an email to firstname.lastname@example.org
- Server log
- Via the newsletter subscription form
How long does Mamzelle Créations keep users' personal data and what is the legal basis?
Server logs are stored for a period of 6 months. The storage of these logs is legal if the user is well informed about the implementation of the logging system and the stored data is only used to guarantee the security of the system and the detection of anomalies.
The personal data retrieved via the contact form are only processed for the time necessary to answer the user's question. As a result, the retention period of information is variable and depends on the complexity of the request. When a user submits the contact form, they can legitimately expect to receive a response from us.
Rights of data subjects
In compliance with the General Data Protection Regulation (GDPR), users have the following rights with regard to the data that Heliboo collects about them:
- Right of access
- Right to rectification
- Right to erasure (right to be forgotten)
- Right to limitation
- Right to portability
For any request that concerns these rights, users can send an email to email@example.com with the subject of his request. Mamzelle Créations will respond to the request sent in connection with the rights listed above within one calendar month after receipt of the request. If Mamzelle Créations receives many requests or complex requests, the response time may increase for a maximum of 2 additional months.
For security reasons, for each request related to these rights, Mamzelle Créations will verify the identity of the person submitting the request. To do this, the person concerned will be invited to do the following action:
- Send a copy of an official document (identity card, passport) and a copy of a service bill (telephone, electricity, etc.) that clearly mentions the name and address of the person concerned.
Mamzelle Créations will respond to the request only after a positive identification.
Technical information on security measures
List of security measures
- Educate users
- Authenticate users
- Track access and manage incidents
- Secure desktops
- Securing mobile computing
- Protect the computer network
- Secure servers
- Secure the website
- Record and plan for business continuity
- Archive securely
- Supervise the maintenance and destruction of data
- Manage subcontracting
- Ensure the security of exchanges with other organizations
- Supervise IT developments
- Encrypt, guarantee integrity or sign
Mamzelle Créations continuously tests and improves these measurements.
Detection of a security breach
Any event that poses a potential threat to personal data should be considered a security breach. A threat can be of different kinds: loss, alteration, corruption or exposure to third parties.
Here are some examples of events that should be considered a threat:
- Intrusion of a third party into the corporate network
- Infection of one or more devices with malware, including virus, rootkit, ...
- Loss of a USB flash drive containing files containing personal data.
- Loss of a computer, tablet or smartphone containing or able to access files containing personal data.
- Security breach on our data server
Mamzelle Creations has taken a number of steps to detect these events without delay.
During the risk analysis, Mamzelle Créations first identifies the potential damage (physical, material or moral damage) associated with a processing activity. Then we assess the severity of the damage that could result. Finally, Mamzelle Créations assesses the probability of the event by analyzing the vulnerabilities of their systems and operations as well as the nature of the threats. Risks are categorized as "high risk", "risk" and "low risk".
Notification of security breaches to the competent authorities
If the security breach may result in a threat to the data subjects, such as, for example, identity theft, fraud, financial loss or impact on influence, Heliboo will inform the authorities.
This notification must take place within 72 hours of the positive identification of the security threat. If this period is exceeded, the additional period must be justified.
Notification of security breaches to data subjects
If the risk to the persons concerned is considered high, they must also be informed. In case of doubt about the degree of risk, the authorities may be contacted for verification.
If the situation requires notification to the persons concerned, they should also be provided with guidance on how to mitigate the risk.