Privacy Policy – Personal Data

Effective as of 17/11/2020

ARTICLE 1. INTRODUCTION

SIPPEREC is dedicated to complying with the following principles in the context of personal data collection and processing.

The website www.labornebleue.fr is required to collect and process your personal data.

For each processing activity, we are committed to collecting and processing only the data strictly necessary for the operation of ‘La Borne Bleue’ electric vehicle charging service.

This Privacy Policy outlines the manner in which we collect and process your personal data, as well as the extent of your rights, and specifically indicates:

  • the personal data collected;
  • the specific objectives (purposes) for collecting this data and the legal basis on which the data processing is founded;
  • the data subjects concerned by the processing;
  • the retention periods for this data;
  • the recipients of the data;
  • the rights granted to you.

Each form or online service on the www.labornebleue.fr website refers to this privacy policy, and specifies whether the data processed is mandatory or optional for handling your request.

We invite you to read it carefully.

 

ARTICLE 2. DATA COLLECTED

Data collected when subscribing to a plan, creating an account on our websites and applications, using the charging service on our applications, contacting us via contact forms or calling the hotline:

  • last names, first names, title;
  • postal address, email address, potentially phone number;
  • identifier and encrypted password used to authenticate you on our websites or applications;
  • badge number (RFID);
  • contractual data such as the registration date;
  • Encrypted information relating to your payment methods: credit card number, expiration date, and visual cryptogram (CVV), held and processed exclusively by our payment service provider in compliance with the PCI-DSS security standard;

The data we collect during the use of the charging service includes information relating to your commercial history concerning the purchase and performance of services (subscriptions, charging sessions, etc.), billing and payment, and your requests and responses sent to support services.

 

ARTICLE 3. GEOLOCATION

We collect geolocation data, provided you have accepted this feature, in order to identify the physical location of your device and to offer you nearby services by guiding you to the selected charging station.

You may use the service without authorizing SIPPEREC to collect your device’s location data.

The absence of activation of the geolocation feature may nevertheless affect the services provided by SIPPEREC.

Before offering a third party (employees, family members, etc.) a subscription, a charging badge, or any other service we market, you must ensure that the person concerned agrees to their personal data being shared with us.

The Service does not collect any sensitive data (racial origins, political opinions, health-related data, or sexual orientation).

ARTICLE 4. LEGAL BASIS AND PURPOSES OF PROCESSING

We implement various processing operations for which the legal bases and purposes are as follows:

  • the performance of pre-contractual measures taken at your request and/or the execution of the contract to which you have subscribed, for the following purposes:
    • the management of our relationship with you, including in particular:
    • the creation of a personal account on the website;
    • communications management and tracking of exchanges with users;
    • the management of your payment card data.
  • your consent for:
    • sending newsletters;
    • the storage of your bank details to facilitate any subsequent payment;
  • our legitimate interest for:
    • fraud prevention and detection.

Should we be required to process your data for purposes other than those listed in the paragraph above, we will inform you and take any additional steps that may be necessary.

ARTICLE 5. DATA SUBJECTS

The data subjects concerned by the processing operations we perform are as follows:

  • customers of the ‘la borne bleue’ service;
  • users of the ‘la borne bleue’ service who do not have a customer account.

 

ARTICLE 6. DURÉES DE CONSERVATION DES DONNÉES

We retain your personal data only for the period necessary for the purposes described above, in accordance with applicable legislation, increased by the legal limitation period.



The data is retained until the withdrawal of consent.

Purposes Retention period
Management of our relationship with you, as users of the www.labornebleue.fr website The entire duration of the contractual relationship, plus the statutory limitation period. The common law limitation period in civil and commercial matters is five (5) years from the end of the contract.
Managing your payment card data In the case of a one-time payment: the data is retained for the duration of the transaction

In the case of a subscription, the data is retained until the last payment due date, in the absence of automatic renewal.

If retained to facilitate subsequent payments, the data is retained until consent is withdrawn.
Managing your information requests and complaints For the entire duration of the contractual relationship, plus the period required for statutory limitation periods to be acquired. The standard limitation period in civil and commercial matters is five (5) years from the end of the contract
Fraud prevention and detection, also including the management of the consequences of such fraud. Data may be retained for up to twelve (12) months from the issuance of alerts before being qualified.

Alerts qualified as irrelevant or unqualified at the end of the twelve (12) month period are deleted.

Qualified alerts are retained for a maximum period of five (5) years from the closure of the fraud file. For individuals included on a list of proven fraudsters, the data concerning them is deleted after a period of five (5) years from the date of inclusion on said list.

f legal proceedings have been initiated, the data is retained until the end of the legal proceedings, plus the statutory limitation period. The common law limitation period in civil and commercial matters is five (5) years from the end of the contract.

Sending newsletters

 

ARTICLE 7. DATA RECIPIENTS

Your data is only communicated to the following authorized and designated recipients, for the strict requirements of their missions:

  • our technical service providers who enable us to manage the IT systems necessary for the ‘La borne Bleue’ service, the online payment system, telephone calls, and audience measurement;
  • our charging partners who have delegated the operation of their electric vehicle charging infrastructure;
  • third-party operators, with whom roaming agreements have been signed, when the charging service is used on their infrastructure;
  • public authorities or companies in the event of debt collection for services invoiced on their behalf;
  • the new authorized operator in the event of a change of operator at the end of the contract;
  • police, judicial, or administrative authorities, as the case may be.

Access to your data is granted on the basis of individual and limited access authorizations. The personnel concerned are bound by an obligation of confidentiality.

Access by our processors is based on signed contracts mentioning the obligations incumbent upon them regarding the protection of data security and confidentiality.

 

ARTICLE 8. LOCATION OF YOUR DATA

The vast majority of your data is not transferred outside the European Economic Area (EEA). We comply with applicable laws to ensure that you benefit from an adequate level of data protection when your personal data is transferred to the United States.

The online payment service (electronic money) is provided in accordance with the European PSD2 Directive, notably by Stripe Payments Europe, Ltd, an Irish company located at 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, a subsidiary of Stripe Inc.

Stripe Inc. operates globally. Personal Data may be stored and processed in any relevant country. It may be transmitted to recipients located in countries other than the country where it was originally collected, including the United States.

These transfers are governed by a cross-border data flow agreement established in accordance with the standard contractual clauses for controller-to-processor transfers issued by the European Commission and currently in force.

 

ARTICLE 9. YOUR DATA PROTECTION RIGHTS

SIPPEREC is particularly concerned with respecting the rights granted to you within the framework of the data processing it implements, to guarantee fair and transparent processing given the specific circumstances and context in which your personal data is processed.

9.1 Your right of access

In this regard, we confirm whether or not your personal data is being processed and, where it is, you have the right to request a copy of your data and information concerning:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipients and, should such communications occur, the international organizations to which the personal data are disclosed, particularly recipients established in third countries;
  • the retention period for your personal data;
  • the existence of the right to request from the controller the rectification or erasure of your personal data, the right to request a restriction of the processing of your personal data, and the right to object to such processing;
  • the right to lodge a complaint with a supervisory authority;

9.2 Your right to rectification of your data

You may request that your personal data be, as the case may be, rectified or supplemented if it is inaccurate, incomplete, ambiguous, or outdated.

9.3 Your right to erasure of your data

You may request the erasure of your personal data when one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • you withdraw your previously given consent;
  • you object to the processing of your personal data when there are no overriding legitimate grounds for the processing;
  • the processing of personal data does not comply with the provisions of the applicable laws and regulations.

Please note that the right to erasure of data is not a general right, and it can only be granted if one of the grounds provided for in the applicable regulations is met.

Therefore, if none of these grounds are met, SIPPEREC will be unable to grant your request; this will be the case if it is required to retain the data due to a legal or regulatory obligation or for the establishment, exercise, or defense of legal claims.

9.4 Your right to restriction of data processing

You may request the restriction of the processing of your personal data in the cases provided for by the legislation and regulations.

9.5 Your right to object to data processing

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data where the legal basis is a legitimate interest or the performance of a task carried out in the public interest or in the exercise of official authority vested in SIPPEREC (see the article above on the legal basis for processing).

In the event that you exercise such a right to object, we will ensure that we no longer process your personal data for the processing operation concerned, unless we can demonstrate that we have compelling legitimate grounds for continuing that processing. These grounds must override your interests, rights and freedoms, or the processing must be justified for the establishment, exercise, or defense of legal claims.

9.6 Your right to data portability

You have the right to the portability of your personal data.

We draw your attention to the fact that this is not a general right. Indeed, not all data from all processing operations is portable, and this right only applies to automated processing, to the exclusion of manual or paper-based processing.

This right is limited to processing for which the legal basis is your consent or the performance of pre-contractual measures or a contract.

This right only concerns your personal data, and includes neither derived data nor inferred data, which are personal data created by SIPPEREC.

The data to which this right applies are:

  • solely your personal data, which excludes anonymised personal data or data that do not concern you;
  • declarative personal data as well as the operational personal data mentioned above.

The right to portability must not adversely affect the rights and freedoms of third parties, such as those protected by trade secrets.

You may request data portability in accordance with the procedure defined below, specifying whether you wish to receive the data yourself or, if technically feasible for us, for it to be transmitted directly to another data controller.

In the latter case, you shall ensure that you provide us with the exact name of this controller, their contact details, as well as the department or person who should be the recipient. In order to facilitate the exercise of this right, you must inform this recipient of your request to our services.

9.7 Your right to withdraw your consent

You may withdraw your consent at any time.

We will then stop processing your personal data, without affecting the lawfulness of the prior operations to which you had consented.

Nevertheless, insofar as the personal data collected on the basis of your consent are necessary for the provision of the charging service, the withdrawal of your consent will result in the termination of this service.

9.8 Your right to lodge a complaint

You have the right to lodge a complaint with the CNIL (3 place de Fontenoy 75007 Paris) within French territory, without prejudice to any other administrative or judicial remedy.

9.9 Your right to define post-mortem directives

You have the possibility to define specific directives regarding the storage, erasure, and communication of your personal data after your death with our services, in accordance with the procedures defined below. These specific directives will only concern the processing operations carried out by us and will be limited to this scope alone.

You will also have the right to define general directives, if such a person has been designated by the executive branch.

9.10 Procedures for exercising your rights

Requests regarding the exercise of your rights should be sent to the following postal address: SIPPEREC, 175, rue de Bercy 75012 Paris, accompanied by elements allowing us to verify your identity, or by email to the following address: dpo@sipperec.fr.