PERSONAL DATA PROTECTION POLICY

COLLECTION OF PERSONAL DATA

Information that the European Centre of Deported Resistance Members may collect is information volunteered by individuals who enter it into online forms (available from the website www.struthof.fr). Each form indicates which information is optional and which is required. These e-mail addresses may be used to respond to your requests and send you information, e.g. the newsletter. However, you may object to receiving these e-mails by sending your request through the contact form.

The European Centre of Deported Resistance Members undertakes to ensure that the personal data that is collected and processed from this website is done so in a manner compliant with the French Data Protection Act no. 78-17 of 6 January 1978 and with (EU) Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, applicable on 25 May 2018. Thus, unless expressly indicated otherwise on the data entry form, the e-mail addresses that are collected are not transferred or sold to third parties by the European Centre of Deported Resistance Members.

The purpose for which information is being collected is specified on all online forms.

All forms and remote services limit the amount of personal data collected to a strict minimum (data minimisation), indicating in particular:

  • why the data is being collected (purposes);
  • if the information is required or optional for the handling of your request;
  • who will have access to your data (in most cases, only the European Centre of Deported Resistance Members, unless stated in the form when your data needs to be transferred to a third party to handle your request);
  • your rights under the French Data Protection Act and how to exercise them with respect to the European Centre of Deported Resistance Members.

The personal data collected within the context of services offered on the websites of the European Centre of Deported Resistance Members is processed in accordance with secure protocols that enable the European Centre of Deported Resistance Members to handle requests received through its IT applications.

Personal information collected as part of the services offered by the European Centre of Deported Resistance Members is stored in compliance with the rules of the departmental archives and the French Data Protection Act of 1978, for the amount of time necessary for the purpose of the processing. The departments of the European Centre of Deported Resistance Members use computer resources to handle your case, your requests and the services with which you are provided.

The information stored is for the use of the relevant departments and will be disclosed only to the staff of the European Centre of Deported Resistance Members and to the authorised recipients.

Pursuant to Articles 15 to 23 of the General Data Protection Regulation, you have the right to access and rectify your personal data. You also have the right to determine the fate of your data after your death, by contacting the Data Protection Officer. For legitimate reasons, you may object to the processing of data concerning you, except if this right has been taken away by a legal provision. 

A copy of your personal data may be supplied to you at your request, provided that you pay the cost of reproducing it. However, the European Centre of Deported Resistance Members may choose to deny requests that are manifestly unreasonable, for example, due to the number of requests made or the repetitive or systematic nature of the requests.

Requests to exercise the right to access, rectify, object to and delete personal data may be made:

  • in writing
    The person making the request sends a signed letter with a copy of proof of identity to the following address:
    Centre européen du résistant déporté (Struthof)
    Route départementale 130
    67130 NATZWILLER
  • or by e-mail directly through the following form “exercising your personal data rights”

Since the entry into force of the European Data Protection Regulation (Regulation (EU) 2016/679) on 25 May 2018, every user has the right:

  • to object to profiling
  • to request the restriction of processing
  • to lodge a complaint with a supervisory authority (in France: CNIL - 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 - Telephone: +33 (0)1 53 73 22 22 - www.cnil.fr

THE 11 PRINCIPLES OF THE PERSONAL DATA PROTECTION POLICY

The following 11 principles underpin the Personal Data Protection Policy of the European Centre of Deported Resistance Members.

PRINCIPLE 1 – RESPONSIBILITY

The European Centre of Deported Resistance Members is the controller of the personal data that it handles directly or indirectly in France and abroad. Therefore, the European Centre of Deported Resistance Members must comply strictly with the French Data Protection Act and with the GDPR.
In accordance with the legal requirements, it must carry out all the formalities necessary for the implementation of personal data processing, whether this data concerns its users or its agents.

PRINCIPLE 2 – DETERMINING THE PURPOSES FOR WHICH PERSONAL DATA IS COLLECTED

The European Centre of Deported Resistance Members must determine the purposes for which it collects personal data.
The data is collected for determined, express and legitimate purposes, and cannot be processed subsequently in a way that is incompatible with these purposes. Subsequent processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is not considered, under Article 89(1) of the GDPR, as incompatible with the initial purposes (purpose limitation);

Article: 6, 26 of the GDPR.

PRINCIPLE 3 – TRANSPARENCY AND LEGALITY OF THE COLLECTION

The European Centre of Deported Resistance Members does not collect personal data without the knowledge of the data subjects. Likewise, the European Centre of Deported Resistance Members does not collect personal data when the data subjects legitimately object to such collection.
The data is collected legally, in compliance with Article 6 of the GDPR.
The European Centre of Deported Resistance Members provides the data subjects from whom it has collected personal data with information on the purpose of processing, the identity of the data controller, the legal basis for processing, the data retention period and the scope of their rights under Articles 13 and 14 of the GDPR.

PRINCIPLE 4 – LIMITS ON THE COLLECTION OF PERSONAL DATA AND DATA QUALITY

The European Centre of Deported Resistance Members collects only the personal data necessary for the stated purposes. The data is adequate, relevant and limited to what is necessary for the purposes for which it is processed (data minimisation).

Article: 25 of the GDPR

The data provided by the users must be accurate and, if necessary, the European Centre of Deported Resistance Members will take any necessary and reasonable measures to update it.

Article: 16 of the GDPR

PRINCIPLE 5 – LIMITS ON THE STORAGE OF PERSONAL DATA

The European Centre of Deported Resistance Members ensures the updating of the personal data it processes while respecting the intended purposes. The retention periods must not exceed those required to fulfil the intended purposes.
The data retention periods are

  • either issued by the Departmental Archives or by the Archives of France,
  • or specified by legislation and/or regulations. 

The data retention periods or the information required to determine them are made known to the users.
 

PRINCIPLE 6 – PHYSICAL AND LOGICAL SECURITY OF PERSONAL DATA

The European Centre of Deported Resistance Members determines and implements the measures necessary to protect the personal data processing systems to prevent any malicious intrusions or losses, alteration or unauthorised disclosure of personal data.
The European Centre of Deported Resistance Members determines and implements security measures ensuring the confidentiality of the data:

Article 34 of the French Data Protection Act.
Article 32 of the GDPR - Security of processing

The European Centre of Deported Resistance Members requires its subcontractors and partners to present sufficient guarantees to ensure the security and confidentiality of personal data (signing confidentiality clauses).

PRINCIPLE 7 – PERSONAL DATA BREACHES

In the event of a security breach, the European Centre of Deported Resistance Members must inform the supervisory authority within 72 hours and document all information concerning the breach.
When a personal data breach is likely to result in an elevated risk to the rights and freedoms of an individual, the controller must inform the data subject of the personal data breach without undue delay.

Article 33 of the GDPR - Notification of the supervisory authority of a personal data breach
Article 34 of the GDPR - Communication of a personal data breach to the data subject

PRINCIPLE 8 – RIGHTS OF DATA SUBJECTS - INFORMATION

The European Centre of Deported Resistance Members implements the necessary means to inform anyone making the request of the existence of personal data about them and the use being made of it.

It implements the necessary means to guarantee users and agents access to personal data concerning them when they request it. It takes every measure to rectify or delete inaccurate information.

Comprehensive information regarding each processing operation is given to the user or agent, including at least the following items:

  • The identity and contact details of the controller, and where relevant of its representative;
    • Where relevant, the contact details of the Data Protection Officer;
  • The intended purposes of the processing of the data;
  • The legal basis for the processing;
  • The categories of data being collected for processing;
  • The categories of the recipients of the personal data, including in non-EU countries or in international organisations;
  • If necessary, any further information, in particular when the personal data is collected without the knowledge of the data subject.
  • The personal data retention period, or, when that is not feasible, the criteria used to determine that period;
  • Whether or not an automated decision-making process is involved;
  • The existence of the right to ask the controller for access to, rectification or erasure of the personal data, and the restriction of the processing of the personal data to a given person (the European Centre of Deported Resistance Members is not concerned by the right to restriction of processing).
  • The right to lodge a complaint with the French National Commission for Information Technology and Civil Liberties and the contact details of the commission.

PRINCIPLE 9 – IMPLEMENTATION OF THE PERSONAL DATA PROTECTION POLICY

The European Centre of Deported Resistance Members must make available to its users and agents precise information on the Personal Data Protection Policy and the principles that underpin the policy.
The European Centre of Deported Resistance Members determines and implements all of the operational measures that are useful and necessary for enabling its staff to apply the principles of the Personal Data Protection Policy.
For this reason, the European Centre of Deported Resistance Members informs and trains its staff about the principles applying to the management of personal data, and it promotes good practices.

PRINCIPLE 10 – COMPLIANCE WITH THE STATED PRINCIPLES

The European Centre of Deported Resistance Members has a Data Protection Officer who ensures compliance with the rules on the collection and processing of personal data, set forth in this document.
Any person must be able to refer to the Data Protection Officer on the principles set out above.

PRINCIPLE 11 – SUSTAINABILITY OF THE PERSONAL DATA PROTECTION POLICY

In order to ensure the sustainability of its Personal Data Protection Policy, the European Centre of Deported Resistance Members regularly verifies that the principles on which it is based remain consistent with changes in technology, law and the needs of users and third parties.

Data controller:
Centre européen du résistant déporté
Route départementale 130
67130 NATZWILLER

Personal Data Protection Officer