Personal data

The information that the pfbc-cbfp.org site collects comes from voluntary communication by individuals by entering online forms (available from the pfbc-cbfp.org site). The optional or mandatory nature of the data is indicated on each form. These email addresses may be used to meet your needs and send you information (newsletter). You may, however, object to receiving these emails by sending your request via the contact form.

The PFBC-CBFP undertakes to ensure that the collection and processing of personal data, carried out from this site, complies with Law No. 78-17 of January 6, 1978 as amended relating to information technology, files and freedoms as well as Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 applicable on May 25, 2018. Thus, unless otherwise stipulated directly mentioned on the data entry form, the electronic addresses collected are not subject to any transfer to third parties by the PFBC-CBFP.

The destination of the information collected is specified on each online form.

Each form or teleservice limits the collection of personal data to what is strictly necessary (data minimization) and indicates in particular:

• what are the objectives of collecting this data (purposes);
• whether this data is mandatory or optional for the management of your request;
• who will be able to read it (only the PFBC-CBFP in principle, unless specified in the form when transmission to a third party is necessary to manage your request);
• your IT and Liberties rights and how to exercise them with the PFBC-CBFP.

The personal data collected as part of the services offered on the PFBC-CBFP websites are processed according to secure protocols and allow the PFBC-CBFP to manage requests received in its IT applications.

Personal information collected as part of the services offered by the community is kept in accordance with the rules prescribed by the departmental archives, by the law of 1978 and for a period justified by the purpose of their processing. The PFBC-CBFP services have IT resources intended to manage your file, your requests as well as the services provided to you. The information recorded is reserved for the use of the services concerned and can only be communicated to PFBC-CBFP staff and authorized recipients.

In accordance with articles 15 to 23 of the General Data Protection Regulations, you have the right to access and rectify information that concerns you - You can also define the fate of your data after your death, by contacting the Data Protection Officer. You can also, for legitimate reasons, object to the processing of data concerning you, unless this right has been waived by a legislative provision.

A copy of the personal data concerning you may be issued to you, at your request and against reimbursement of the costs of its reproduction. However, the Department has the possibility of opposing requests that are manifestly abusive, particularly due to their number, repetitive or systematic nature.

Requests to exercise the right of access, rectification, opposition and deletion can be made by email directly via the form « exercise your rights over your personal data »

Since the entry into force of the European Data Protection Regulation (REGULATION (EU) 2016/679) on May 25, 2018, every user has the right:

• to object to profiling;
• to request restriction of processing;
• to lodge a complaint with a supervisory authority.
  (In France : CNIL - 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 - phone : 01.53.73.22.22 - www.cnil.fr)

The following 11 principles constitute the personal data management policy of the PFBC-CBFP.

The PFBC-CBFP is responsible for the processing of personal data that it implements directly or indirectly in France and abroad. Consequently, it must strictly comply with the law on the Protection of Personal Data but also with the GDPR.

In accordance with legal requirements, it must complete all formalities necessary for the implementation of the processing of personal data, whether this data concerns its users or its agents.

The PFBC-CBFP must determine the purposes for which it collects personal data. The data is collected for specific, explicit and legitimate purposes, and not subsequently processed in a manner incompatible with these purposes; further processing for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes is not considered, in accordance with Article 89 GDPR (1), to be incompatible with the original purposes (limitation of purposes).

Article: 6, 26 of the GDPR.

The PFBC-CBFP does not collect personal data without the knowledge of the persons concerned. In the same way, the PFBC-CBFP does not collect personal data when the persons concerned legitimately object to it.
The data is collected lawfully in accordance with Article 6 of the GDPR.
The PFBC-CBFP provides data subjects, from whom it collects their personal data, with information on the purpose of the processing, the identity of the controller, the legal basis for the processing, the retention period and the scope of the processing. their rights in accordance with Articles 13 and 14 of the GDPR.

The PFBC-CBFP is limited to collecting only the personal data necessary to achieve the stated purposes. The data is adequate, relevant and limited to what is necessary for the purposes for which it is processed (data minimization).

Article: 25 of the GDPR

The data provided by users must be accurate and, if necessary, the PFBC-CBFP will implement all necessary and reasonable measures to update them.

Article: 16 of the GDPR

The PFBC-CBFP ensures that the personal data it processes is updated while respecting the intended purposes. The retention periods must not exceed those necessary to achieve the intended purposes.

These storage times are

• either decreed by the Departmental Archives or the Archives of France,
• or specified in legislative and/or regulatory texts. 

These durations, or the elements allowing them to be determined, are brought to the attention of users.

The PFBC-CBFP determines and implements the means necessary to protect personal data processing systems to avoid any malicious intrusion and prevent any loss, alteration or disclosure of data to unauthorized persons.

The PFBC-CBFP determines and implements security measures to guarantee the confidentiality of data:

Article 34 of the Data Protection Act
Article 32 of the GDPR - Security of processing

The PFBC-CBFP requires its subcontractors and partners to provide sufficient guarantees to ensure the security and confidentiality of personal data (signing confidentiality clauses).

In the event of a security breach, the PFBC-CBFP must notify the supervisory authority within 72 hours and must document all elements relating to the violation.
Where a personal data breach is likely to result in a high risk to the rights and freedoms of a natural person, the controller shall communicate the personal data breach to the data subject without undue delay.

Article 33 of the GDPR - Notification to the supervisory authority of a personal data breach
Article 34 of the GDPR - Communication to the data subject of a personal data breach

The PFBC-CBFP implements the necessary means to inform any person who requests it of the existence of personal data concerning them and the use made of it.

It implements the necessary means to guarantee users and agents access to personal data which concerns them when they request it. It takes all measures to rectify or delete erroneous information.

Each treatment is the subject of complete information to the user or agent and must at least indicate the following elements:

• the identity and contact details of the data controller, and where applicable those of his representative;
• the purposes pursued by the processing for which the data is intended
• the legal basis of the processing
• the categories of data concerned by the collection for processing
• the categories of recipients of personal data, including in non-EU Member States or within international organizations;
• if necessary, additional information, in particular when personal data is collected without the knowledge of the data subject.
• the duration of retention of personal data or, when this is not possible, the criteria used to determine this duration;
• the existence or not of an automated decision
• the existence of the right to request from the data controller access to personal data, their rectification or erasure, and the limitation of the processing of personal data relating to a data subject (PFBC-CBFP are not concerned by the right to restriction of processing)
• the right to lodge a complaint with the National Commission for Information Technology and Liberties and the contact details of the commission.

The PFBC-CBFP must provide its users and agents with precise information on the personal data management policy and the principles that make it up.
The PFBC-CBFP determines and implements all useful and necessary operational measures to enable its services to apply the principles of the personal data management policy.
In this sense, the PFBC-CBFP raises awareness and trains its services on the principles applicable to the management of personal data and promotes good practices.

The PFBC-CBFP has a Data Protection Officer who ensures compliance with the rules regarding the collection and processing of personal data set out in this document. Any person must be able to contact the Data Protection Officer on the principles set out above.

For the purposes of ensuring the sustainability of its personal data management policy, the PFBC-CBFP regularly ensures the adequacy of the principles that make it up to changes in technology, law and the needs of users and third parties.