Privacy Policy
Purpose of the Policy
The following information is provided to inform you about the Group Lenôtre's commitments regarding the protection of Personal Data.
Group Lenôtre builds strong and lasting relationships with its clients, consumers, and customers based on mutual trust: ensuring the security and confidentiality of their Personal Data is a top priority for Group Lenôtre.
Group Lenôtre is committed to complying with all regulatory and legislative provisions applicable to the protection of Personal Data.
Group Lenôtre applies an extremely strict privacy policy to ensure the protection of Personal Data of Users and individuals with whom we interact:
Each User remains in control of their data. It is processed transparently, confidentially, and securely.
Group Lenôtre is engaged in a continuous effort to protect the data of its Users, in compliance with the General Data Protection Regulation (EU) of April 27, 2016 ("GDPR").
Group Lenôtre has a Data Protection Officer.
We have developed this policy to inform you about the conditions under which we collect, process, use, and protect your Personal Data. This policy applies specifically to the Personal Data processed by the companies belonging to the Sodexo group, of which Group Lenôtre is a part.
Please read this policy carefully to understand which categories of Personal Data are collected and processed, how we use this Personal Data, and with whom we may share it. This policy also describes your rights and how you can contact us to exercise those rights or to ask any questions regarding your Personal Data.
It may be modified, supplemented, or updated to comply with any legal, regulatory, jurisprudential, or technical developments. However, your Personal Data will always be processed according to the policy in effect at the time of its collection, unless a mandatory legal provision dictates otherwise and applies retroactively.
This policy is an integral part of the General Terms and Conditions of Use of the Portal.
What is the identity and contact details of the data controller?
LENÔTRE
Simplified Joint Stock Company
Capital: €2,606,142
Head Office: 44, rue d'Auteuil - 75016 Paris
Trade Register: 662 054 543 RCS Paris
(hereinafter referred to as "Lenôtre")
OXYGENE
Simplified Joint Stock Company
Capital: €200,000
Head Office: Route de Suresnes, Bois de Boulogne - 75016 PARIS
Trade Register: 948 807 490 RCS Paris
(hereinafter referred to as "Le Pré Catelan")
Contact email for the Group Lenôtre Data Protection Officer (DPO): dpo.oss.fr@sodexo.com
What are the definitions applicable to this policy?
"Cookies": As defined in the Cookie Management Policy.
"Personal Data": Any information relating to an identified or identifiable natural person, directly or indirectly, by reference to an identification number or to one or more elements specific to that person.
"Establishment": The restaurant Le Pré-Catelan.
"We" or "Our": Group Lenôtre acting as the Data Controller.
"Portal": This website and/or, where applicable, mobile application, as well as any sub-sites, mirror sites, portals, or URL variations associated with them.
"Data Controller(s)": Group Lenôtre, which determines the purposes and means of processing your Personal Data.
"Services": Any service provided at our Establishment and/or available through the Portal.
"Processor": A natural or legal person who processes Personal Data on behalf of the Data Controller.
"Processing": Any operation or set of operations performed on Personal Data or sets of Personal Data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
"You" or "Users": Any user/visitor of the Portal or recipient of Group Lenôtre's Services.
What are the types of Personal Data that we collect and use?
We may collect and process the following types of Personal Data:
- Information you provide within our Establishment or by filling out forms available on our Portal, including for marketing purposes, participation in surveys, contests, and customer relationship management (e.g., salutation, last name, first name, contact details, etc.);
- Information related to the management of services ordered from our Establishment and/or Portal, such as (e.g., name, first name, address (delivery/billing), contact details, nature of the service, quantity, price, etc.);
- Information for personalizing the ordered service, such as (e.g., dietary preferences, service recipients, email addresses of payment participants, etc.);
- Transaction data for payment purposes, including (e.g., price, payment method, email addresses of payment participants). Please note that credit/debit card information is processed directly by the payment provider specializing in secure online transactions or through the payment terminal at our Establishment;
- Information you provide for managing your application and, if applicable, the recruitment process, such as (e.g., name, first name, phone number, postal and email addresses, CV, information related to your education, professional experience, awards, degrees, certificates, language skills, salary expectations, etc.);
- Information provided through posts, comments, or other content you may display or submit on our Portal;
- Information you provide for managing a contact request, quote, information, or press inquiry, such as (e.g., name, first name, contact details, comments, etc.);
- Your preferences for receiving commercial/marketing information from us and our partners and your communication preferences;
- Surveillance camera footage collected within our Establishment;
- Information collected via cookies and other trackers as defined in our Cookie Management Policy.
We will collect your Personal Data as required by applicable law or because it is necessary for the provision of our Services. Without this information, we will not be able to process your request or provide the Service.
We may aggregate Personal Data to create, among other things, statistical studies and anonymized reports.
What are the purposes for which we may use your Personal Data and on what basis?
Processing Activity: Cookies
- Purpose: Personalization and improvement of your experience on the Portal. For more information on the processing of your Personal Data in the specific context of Cookies, please refer to our Cookie Management Policy.
- Data Controller: Lenôtre
- Legal Basis: Consent. Legitimate interest in implementing the technical measures necessary for the operation of our Portal and Services.
Processing Activity: Video Surveillance
- Purpose: Security of property and individuals.
- Data Controller: Le Pré Catelan
- Legal Basis: Legitimate interest in ensuring the security of property and individuals on our premises.
Processing Activity: Communication with Users
- Purpose: To respond to your requests and inquiries, such as information, quotes, press, or contact.
- Data Controller: Lenôtre
- Legal Basis: Execution and management of our contractual relationship with you. Our legitimate interest in communicating with users of our Services, clients, or prospects and responding to your inquiries.
Processing Activity: Customer Relationship
- Purpose: To manage the customer relationship and contracts related to the Services ordered through the Portal and/or at our Establishment.
- Data Controller: Le Pré Catelan
- Legal Basis: Execution and management of our contractual relationship with you.
Processing Activity: Prospecting
- Purpose: To send you offers and communications regarding our products and services and/or those of our partners.
- Data Controller: Group Lenôtre
- Legal Basis: Our legitimate interest in improving the quality and operational excellence of the services we offer. Your consent for receiving communications and offers from our partners.
Processing Activity: Recruitment
- Purpose: Management of application files, recruitment processes, and any hiring procedures. Management of application files and creation of a pool of candidates to be used for future recruitment activities.
- Data Controller: Group Lenôtre
- Legal Basis: Execution of pre-contractual measures taken at your request and/or execution of the contract. Our legitimate interest in analyzing and managing applications from profiles suitable for our needs. Obtaining consent for the retention of candidate files for spontaneous applications and for profiles kept beyond 24 months.
Processing Activity: Compliance with Legal Obligations
- Purpose: To retain data related to your receipts and/or consumption and transactions for tax or accounting audits.
- Data Controller: Le Pré Catelan
- Legal Basis: Compliance with certain legal obligations.
Processing Activity: Defense
- Purpose: To manage pre-litigation and litigation matters.
- Data Controller: Lenôtre
- Legal Basis: Our legitimate interest in complying with legal and regulatory obligations and defending our rights.
Who will have access to your Personal Data?
Within the Sodexo Group
Group Lenôtre is part of an international group (the "Sodexo Group") under the Sodexo brand.
Your Personal Data may be transferred within or outside the Sodexo Group.
Within the Sodexo Group
The security and confidentiality of your Personal Data are of utmost importance to us and to the other entities within the Sodexo Group. Therefore, we strictly limit access to your Personal Data to our staff members and only to the extent necessary to process your request or provide our Services. We ensure that those authorized to process your Personal Data are committed to maintaining confidentiality or are subject to an appropriate legal confidentiality obligation.
We have also implemented appropriate security and confidentiality measures to ensure a level of protection for your Personal Data even if it is processed by another entity within the Sodexo Group that was not originally responsible for collecting your Personal Data.
The Sodexo Group has implemented Binding Corporate Rules (BCR). Therefore, even if the countries where Sodexo entities operate are outside the European Economic Area, your Personal Data is protected in the same manner as it would be by any entity located within the European Economic Area.
Outside the Sodexo Group
We will not disclose your Personal Data to unauthorized third parties. However, we may need to share your Personal Data with authorized service providers (e.g., technical service providers (hosting, maintenance), consultants, etc.) that we engage for the purposes listed above, in compliance with applicable data protection laws.
All third-party service providers with whom we have disclosed and transferred your Personal Data are bound by a confidentiality and data processing agreement with Group Lenôtre or with one of the Sodexo Group entities, under which the third party can only act in accordance with our instructions.
These third-party service providers and/or, if applicable, other processors, may be located in countries where data protection laws may not offer an equivalent level of protection to European law. To ensure the security and confidentiality of your Personal Data transferred, we take all necessary measures to ensure that your Personal Data benefits from adequate protection, such as by signing the European Commission’s Standard Contractual Clauses (SCCs) or other valid transfer mechanisms with the recipients of your Personal Data.
If you have any questions or need further information regarding the appropriate transfer measures in place, you can contact our DPO at dpo.oss.fr@sodexo.com.
Additionally, we may share your Personal Data (i) if required by law or a judicial proceeding, (ii) in response to a request from public authorities or other officials, or (iii) if we believe that disclosing this data is necessary or appropriate to prevent financial loss, ensure the safety of individuals or protect the public, protect our rights and properties as well as those of our clients, or in connection with an investigation concerning suspected or actual illegal activity.
How Long Do We Retain Your Personal Data?
We will retain your Personal Data for a duration that does not exceed what is necessary for the purposes for which it was collected and processed. This duration may be extended, if applicable, for any statutory limitation periods in accordance with relevant legal or regulatory provisions.
Additionally, please note that we may anonymize your Personal Data to, among other things, produce statistical studies and anonymized reports. This anonymization makes it permanently impossible to identify you.
The retention periods associated with each purpose are detailed below:
Processing Activity: Cookies
- Purpose: Personalization and improvement of your experience on the Portal. For more information on the processing of your Personal Data in the context of Cookies, please refer to our Cookie Management Policy.
- Retention Period: Cookies will be retained for 13 months to fulfill their purposes. IP addresses and statistical data will be retained for as long as necessary for processing.
Processing Activity: Video Surveillance
- Purpose: Security of property and individuals.
- Retention Period: Up to 30 days.
Processing Activity: Communication with Users
- Purpose: Responding to your requests and inquiries, such as information, quotes, press, or contact.
- Retention Period: Up to 12 months after the last contact.
Processing Activity: Customer Relationship
- Purpose: Managing the customer relationship and contracts related to the Services ordered through the Portal and/or at our Establishment.
- Retention Period: We will retain your Personal Data for the duration of our business relationship. After this, only data necessary for pre-litigation or litigation purposes will be archived until the statutory limitation period is reached. The usual limitation period for civil and commercial matters is five (5) years from the end of the contract.
Processing Activity: Prospecting
- Purpose: Sending you offers and communications about our products and services and/or those of our partners.
- Retention Period: Up to 3 years from the collection of Personal Data or the last contact from you.
Processing Activity: Recruitment
- Purpose: Managing application files, recruitment processes, and hiring procedures. Managing application files and creating a pool of candidates for future recruitment activities.
- Retention Period: For the duration of the recruitment process. If the process is successful, for the duration of the employment period. If the process is unsuccessful, for 24 months renewable for the same period, with your consent, to potentially contact you for positions of interest. For managing files: 24 months renewable for the same period, with your consent, to potentially contact you for positions of interest.
Processing Activity: Compliance with Legal Obligations
- Purpose: Retaining data related to your receipts and/or transactions for tax or accounting audits.
- Retention Period: Up to ten (10) years.
Processing Activity: Defense
- Purpose: Managing pre-litigation and litigation matters.
- Retention Period: Until the dispute or litigation is fully resolved or within the limit of the applicable statutory limitation period.
Are Sensitive Personal Data Collected and Processed?
In general, we do not collect Sensitive Personal Data through our Portal or as part of our Services.
Sensitive Personal Data is defined as any information concerning racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health data, or data related to a person’s sex life or sexual orientation. This definition also includes Personal Data related to criminal convictions and offenses.
In the exceptional case where the collection of such data is strictly necessary for the processing purpose or if you have provided us with such Sensitive Personal Data, for example, when you send us an email or a comment, we will handle it in accordance with local data protection laws and, in particular, with your explicit prior consent and under the conditions described in this Privacy Policy.
What is the Applicable Framework for Minors?
Our Portal is intended for adults who are capable of entering into obligations in accordance with applicable law.
A minor under the age of 15 or an incapacitated individual must obtain consent from their legal guardian before entering their Personal Data on the Portal.
What Are Your Privacy Rights?
Firstly, it is important that the Personal Data we hold about you is always accurate and up to date. Please inform us if your Personal Data changes.
The Groupe Lenôtre is committed to protecting your privacy rights under applicable laws. Below is a summary table of your privacy rights:
Your Rights:
Right of Access and Rectification
You can obtain the information referred to in Article 15 of the GDPR and/or request a copy of the Personal Data we hold about you. You can also request the correction of inaccurate Personal Data or that incomplete Personal Data be completed.
Right to Erasure / Right to be Forgotten
Your right to be forgotten allows your Personal Data to be erased when:
- The Personal Data is no longer necessary for the purposes for which it was collected;
- You decide to withdraw your consent;
- You object to the processing of your Personal Data;
- Your Personal Data has been processed unlawfully;
- Your Personal Data must be erased to comply with a legal obligation.
Right to Restriction of Processing
You can request the restriction of processing when:
- You contest the accuracy of your Personal Data;
- We no longer need your Personal Data for the purposes of processing;
- You have objected to the processing on legitimate grounds;
- The processing is unlawful and you oppose the erasure of your Personal Data and instead request restriction of its use.
Right to Data Portability
Where applicable, you can request the portability of the Personal Data you have provided to us, in a structured, commonly used, and machine-readable format. You have the right to transmit this Personal Data to another Controller without hindrance, when:
- The processing of your Personal Data is based on your consent or an existing contractual relationship; and
- The processing is carried out using automated means.
You also have the right to obtain that your Personal Data be transmitted directly to a third party of your choice (where technically feasible).
Right to Object / Right to Withdraw Your Consent
You have the right to object (the "right to withdraw") to the processing of your Personal Data (including profiling or direct marketing communications).
When we process your Personal Data based on your consent, you can withdraw it at any time for that specific processing. Once we receive notice of your withdrawal, we will no longer process your information for the purposes you originally agreed to, unless we have another legitimate basis to do so under the law.
Right Not to Be Subject to Automated Decisions
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or significantly affects you in a similar manner.
Right to Lodge a Complaint
You may decide to lodge a complaint with the National Commission for Informatics and Liberty (CNIL) at https://www.cnil.fr, without prejudice to any other administrative or judicial remedies.
Right to Post-Mortem Directives
Under the French Data Protection Act, you have the option to set out directives concerning the retention, deletion, and communication of your Personal Data after your death.
These directives can be registered with a certified digital trust service provider, certified by the CNIL, who is responsible for enforcing your wishes in accordance with the applicable data protection regulations.
To exercise these rights, you can use our online request form on the OneTrust platform.
No Fees Generally Required
You will generally not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. In such circumstances, we may also refuse to act on the request.
What We May Ask You
We may ask you for additional information to help us confirm your identity and process your request. This is another appropriate security measure to ensure that Personal Data is not disclosed to a person who is not entitled to receive it.
Rights of Third-Party Beneficiaries
You may exercise the third-party beneficiary rights granted to you under the Groupe Sodexo's Binding Corporate Rules (BCR).
Comment Vos Données Personnelles Seront-elles Protégées ?
We implement appropriate technical and organizational measures to protect Personal Data against any accidental or unlawful alteration or loss, or against any unauthorized use, disclosure, or access, in accordance with security principles.
When applicable, we take all reasonable measures based on the principles of privacy by design and privacy by default to implement the necessary safeguards and protect the Processing of Personal Data. We also conduct a privacy impact assessment based on the level of risk posed by the Processing to adopt appropriate safeguards and ensure the protection of Personal Data. Additional security measures are provided for data classified as Sensitive Personal Data.
Furthermore, if we engage Sub-processors for all or part of the Processing of your Personal Data, we require a contractual agreement with our service providers to ensure the security and confidentiality of Personal Data, in compliance with applicable data protection regulations.
We regularly conduct audits to verify the effective application of rules related to the security of your Personal Data.
However, you also have a responsibility to ensure the security and confidentiality of your Personal Data, so we encourage you to remain vigilant, especially when using an open system like the Internet.
What are the Processing Modalities Applicable to Personal Data Collected in the Context of Customer Relationship Management ("CRM Database")?
We use a database to manage, track, and develop our business relationships with existing and/or potential clients. This database includes Personal Data of the employees of our clients or other partners with whom we have a business relationship or wish to establish one. This data, used solely for these purposes, includes, but is not limited to: contact details (name, first name, phone number, professional email, etc.), publicly accessible information, responses to targeted emails, and other information collected and recorded by our employees during interactions with our clients and/or partners.
This database may be shared with subsidiaries and/or other business partners of the Sodexo group with whom we already have or wish to develop a business relationship. It will be used by these entities solely for the purpose of sending communications to our existing and/or potential clients or offering them services related to their business activities.
Any individual whose contact details are involved in a potential transfer may request to be removed from the CRM database by contacting the recipients. If you wish to unsubscribe from our CRM databases, please email us at data.crm.fr@sodexo.com.
What is the Impact on the Processing of Your Personal Data from Links to Other Sites/Platforms and Social Media?
Occasionally, we may provide links to other platforms for convenience and informational purposes. These platforms operate independently of our Portal and are not under our control or responsibility. These platforms have their own privacy policies or terms of use, which we strongly advise you to read. We disclaim any responsibility for the content of these platforms, the products and services they may offer, or any other use thereof.
Additionally, please note that you may have the option to click on social media icons (Twitter, Facebook, LinkedIn, etc.) displayed on our Portal.
When you click on these icons, we may gain access to the Personal Data that you have indicated as public and accessible from your profiles on the respective social media platforms. However, we neither create nor use any independent database from these social media networks based on the Personal Data you may publish there, and we will not process any data related to your private life through this channel.
If you do not wish for us to have access to the Personal Data published in the public area of your social media profiles or accounts, you will need to use the means provided by the respective social media networks to restrict access to this data.
These links to other websites should not be considered as part of your browsing history, and we disclaim any responsibility regarding the protection of Personal Data implemented by these third parties, each acting as a separate Data Controller for your Personal Data within their own scope. Once you leave our Portal or click on the logo/link to one of these social networks, it is your responsibility to review the privacy policy applicable to that other platform.
How Can You Unsubscribe from a Previously Subscribed Service?
You can also request at any time to stop receiving advertisements or promotional materials by contacting us directly and free of charge, using the unsubscribe link included in any promotional emails we may send you, or through our Online Form. This opt-out does not affect the legality of communications made before it is implemented.
How Will You Be Notified if the Terms of Use of Your Personal Data Change?nges.
We may update or modify this policy as needed. In such cases, changes will only take effect after a period of 30 business days from the date of the modification. Please check this page periodically if you wish to stay informed of any potential changes.
Last Updated: July 2024
How will your Personal Data be collected?
Your Personal Data may be collected in two ways:
We are committed to obtaining your consent and/or allowing you to object to the use of your data for certain purposes when necessary.
In all cases, you will be informed of the purposes for which your data is collected through this policy, various online data collection forms, and the Cookie Management Policy.
Additionally, you may optionally consent to receive personalized communications and offers from us. To withdraw your consent, simply click the unsubscribe link found in the latest communication or personalized offer you received from us.