Personal data protection Personal data protection The object of this notice is to inform customers about the way in which La Compagnie Eiffage du Viaduc de Millau (CEVM) uses and protects Personal Data that is collected, as well as the reasons why this data is processed. La Compagnie Eiffage du Viaduc de Millau considers privacy protection to be of the utmost importance and is thus committed to processing Personal data in accordance with both the modified IT and freedom act n° 78-17 of 06/01/1978 and with the General Data Protection Regulation (GDPR) n° 2016/679. Quick links: Processed personal data and associated purposes Legal basis for personal data processing Mandatory or optional nature of data How long processed data is retained Recipients of processed data Security measures applied to personal data Personal data localisation Automated decision making Preamble What is personal data? Personal data is any information concerning a physical person, who may be identified or identifiable, directly or indirectly, through an identification number or through one or several elements belonging to that person. How is personal data collected? Personal data may be collected directly from a client making contact during a request, a complaint or when asking for specific information, etc. Personal data may also be collected indirectly when travelling on La Compagnie Eiffage du Viaduc de Millau structures through computer and CCTV-related technical equipment. Who is responsible for processing? La Compagnie Eiffage du Viaduc de Millau is legally responsible for processing this data: Compagnie Eiffage du Viaduc de Millau PLC, listed on the Millau Trade and Companies Register under the number 562 105 460, whose head office is located at the toll-gate at Saint Germain BP 60457. Personal data protection La Compagnie Eiffage du Viaduc de Millau collects and processes Personal data that is absolutely essential for providing customers with personalised, quality services. Processed personal Data and associated purposes Subscribing to an electronic toll collection system, customer’s online management of account and badge The following Personal data is collected through forms filled out by the customer and documents attached: subsriber identity Data, journey Data for calculating the price of the journey made (time and date stamp, network entrance and exit toll-gates), vehicle registration Data and characteristics (linked to certain subscription contracts) and banking Data for billing. Toll collection Personal Data processed for calculating toll price according to vehicle category: Data concerning passing through toll > toll-gate time and date stamp, vehicle category, price of transaction. Data concerning subsribers > identity, subsriber number, information held on payment cards or badges issued by distributors (number, validity end-date and, for certain types of subscription: date and place of birth, vehicle registration number). Data required for customer assistance at toll-gate payment point (following customer request or technical alert) > videos from CCTV Billing management Processing of personal Data concerning payment methods: distributors identification, bar-code number, validity end-date. Customer relationship management CEVM collects and processes personal Data each time contact is made with the customer. The personal Data collected is required for providing the customer with a reply that is adapted to each request, complaint or question. The Data processed is as follows: customer identity, telephone number, postal address, e-mail, reason for request. Management of exception lists for electronic toll collection subscribers AREA applies the three processing systems listed hereunder, as part of a service provision contract, on behalf of CEVM. Ruling n° 2018-092 of 15th March 2018 authorising the Autoroutes Rhône-Alpes (AREA) company to apply automated processing of data of a personal nature for purposes of managing outstanding debt and fraud. Prevention and management of outstanding debt and subscription renewal Data processed: customer identity, subscriber number, electronic toll badge number, bank details, subscription date, information concerning payment request refusal (amount, reason given by the bank, corresponding bill), number of electronic toll badges, average consumption amount, history of outstanding debt. Management of lost or stolen badges Data processed: subscriber number, electronic toll badge number, date of loss or theft. Management of fraud on payment systems (e.g.: using a false IBAN when taking out a subsription to the electronic toll collection system) Data processed: identity of bank account holder, number of bank card or IBAN, e-mail address, telephone number, date of birth. Toll non-payment fines Customers’ personal Data is processed in compliance with the CNIL CNIL (French National Information Science and Liberties Commission) ruling n° 2012-324 of 20th September 2012. Categories of personal Data processed: Footage from CCTV cameras installed on toll lanes. Data collected in the event of a non-payment dispute: - Data concerning the offence: date, time, lane, toll-gate, toll-gate worker, toll amount, class. - Data concerning the vehicle driver and owner: surname, first name, address. - Data concerning the vehicle: brand, type, registration number, country. Data for consulting the French Vehicle Registration System (SIV): registration number, brand, model, vehicle colour type, toll-gate, lane, date and time of offence, ID number of fine-issuing official. Data from SIV: surname or business name, first name, usual name or married name, SIREN (Company Register) number, address, ensuring that the name on the registration certificate is the owner of the vehicle, vehicle features for ruling out false registration plates or stolen registration plates (brand, model, colour). Management of guided tours (tourist site) CEVM’s communication, tourism and promotion department collects the following personal Data: Upon registration for guided tours of the structure at the Millau Viaduct visitors‘ area: identity, postal address, e-mail address, telephone number. Quality questionnaire sent to the customer: e-mail address. Recordings of conversations The Security Headquarters conversations are recorded: network of emergency telephones, intercoms (toll lanes, entrances to operations building), direct telephone contact, for the following purposes: - Management of Customer requests for assistance; - Management of Customer complaints; - Transaction observations (concerning calls made from toll-gates). The Data that is necessary for managing the following purposes is collected: conversation contents and time and date stamps. Legal basis for personal Data processing La Compagnie Eiffage du Viaduc de Millau is authorised to process the following personal Data, in particular as part of: Fulfilling the electronic toll payment contract, in all its aspects; Carrying out a public service mission for calculating and collecting tolls, for invoice management and for recording conversations with the Security Headquarters; Respecting a legal obligation for managing toll non-payment fines; Legitimate interest in registration for services provided: registration for guided tours, sending the quality questionnaire, customer relationship, managing lists of exceptions concerning the electronic toll collection subsribers. Mandatory or optional nature of personal Data Some of the personal Data, mentioned in the forms, is mandatory. Should the subscriber not wish to communicate this Data, CEVM is unable to grant access to the services provided. Users are informed of the recording of conversations by a sticker on the equipment. How long processed Data is retained In accordance with the principles defined in the regulation, CEVM retains personal Data only for the amount of time required for reaching the objective intended upon collection. The following conservation periods are therefore respected: Subscription to an electronic toll collection system: 5 years after the final closure of the subscription contract, in compliance with the regulation concerning legal prescriptions. Toll collection: Data concerning journeys : 5 years or 10 years in the event of a tax receipt having been delivered. Invoice management: 10 years in accordance with regulations. Customer relationship management: Data from non-subscribed customers is retained for 2 years starting from the most recent request. Managing lists of exceptions concerning the electronic toll collection subsribers: Data is subject to a conservation period in compliance with the aforementioned CNIL ruling: 1/ Prevention and management of outstanding debt and subscription renewal: the Data is conserved in the objections list until settlement the outstanding debt, and for 5 years in the event of non-settlement. Duration of non-renewal of subscription in the event of outstanding debt: 3 years 2/ Management of lost or stolen badges: Data is conserved for a maximum period of 5 years after declaration of loss or theft. Management of fraud on payment systems: Data is conserved for a maximum of 6 years. Fines for non-payment of toll: the video recordings are conserved for a maximum of 30 days. The other Data (including the photographs from the video recordings) is conserved for the amount of time deemed necessary for the case to be examined, within the limits of legal prescription with regards to fines, i.e. one year. Managment of guided tours (Tourist Site): - Reservation by e-mail: the Data is deleted as soon as the visit is finished. - Management of the «Groups» customer database: the Data is conserved for 2 years starting from the latest request. - Management of the quality questionnaire: the Data is deleted as soon as the questionnaire has been sent Conversation recordings: The conversation recordings are conserved for 30 days. Recipients of processed Data: Subscription to an electronic toll collection system: the personal Data is accessible to the authorised internal services of la Compagnie Eiffage du Viaduc de Millau. The AREA company is the recipient (in its capacity of personal data administrator) of the Data as part of a service provision contract that respects the personal Data protection regulations are recipients of the Data Toll collection: the subcontractors, APRR, AREA, TOTAL, SHELL ESSO, DKV, are recipients of the Data as part of contracts that respect the personal Data protection regulations. Invoice management: depending on the Data categories, the Data is accessible to the banks, accreditors, senders of the subscriptions for the electronic toll collection system, and other motorway concessionary companies Customer relationship management: the personal Data is processed by the authorised internal services. In the event of reimbursement for processing a request, the Data is transferred to the banks. Managing lists of exceptions concerning the electronic toll collection subsribers: the other motorway concessionary companies are the recipients of the Data when concerning management of badges that have been declared lost or stolen. Management of fraud on payment systems: partner banks Fines for non-payment of toll: the recipients of the personal Data concerning fines for non-payment of fines are: - Duly authorised CEVM staff - Duly authorised SIV administrators - The Public Ministry Officer in the event of non-payment Managment of guided tours (Tourist Site): the personal Data is processed exclusively by the authorised internal services of CEVM. Conversation recordings: the authorised internal services of CEVM and the Préfet. Security measures applied to personal Data The personal Data is subject to all the technical and organisation measures required for ensuring its confidentiality and security from any breach of data, destruction, loss, alteration, disclosure, reproduction or from any unauthorised access. CEVM subcontractors are subject to the same confidentiality and security obligations within the framework of contracts that respect personal Data protection regulations. Personal Data localisation The Data is not sent outside the European Union. Automated decision making Processing of the data is not subject to automated decision making. The rights of individuals whose personal Data is processed In accordance with regulations, all individuals concerned are entitled to the following rights: the right to access, rectification, deletion, to legitimately opposing, to the limiting and portability of personal data. All of these rights may be exercised by contacting the data protection delegate at La Compagnie Eiffage du Viaduc de Millau by e-mail at: firstname.lastname@example.org or by regular mail at the following address: DPD CEVM - Péage de Saint-Germain - BP 60457 - 12104 Millau Cedex. Right to file a complaint with the CNIL Any individual concerned by processing of their personal Data and who, having contacted the processing manager, considers that their rights are not respected, may file a complaint with the CNIL (French National Information Science and Liberties Commission).