Privacy and Data Protection Policy

This document develops and describes our principles and commitments for the protection of your Personal Data and aims to inform you about :

- The Personal Data that Perpignan Méditerranée Métropole, hereinafter referred to as the Metropole, and its services collect, and the reasons for this collection,

- How the Personal Data will be used,

- Your rights as a data subject of our data processing.

This Policy applies to all the services of the Metropolis whatever their nature (site, applications, services ...)

A. The Data Controller of your data

The data controller is the Communauté Urbaine Perpignan Méditerranée Métropole represented by Mr Robert Vila, President

The contact details are as follows:

• Postal address: 11, bd Saint Assiscle - BP 20641 - 66006 Perpignan Cedex

• Telephone: 04.68.08.60.00

• E-mail: accueil.pmca@perpignan-mediterranee.org

B. How the Metropolis implements the protection of Personal Data

The Metropolis undertakes to take into account the protection of your Personal Data and your privacy from the design of the processing operations implemented for the services offered to you(Privacy by design).

To ensure security and guarantee the respect and proper exercise of your rights, measures to ensure the protection of your Personal Data are also implemented(Privacy by default) for all processing.

C. What Personal Data is used by the Metropolis?

The Metropolis undertakes to collect only data that is strictly necessary for the execution of its missions and the realisation of the proposed services.

In the event that you are asked for optional data, the operational managers in the directorates will clearly inform you which Personal Data is necessary to provide the service and which is optional.

Personal Data is collected directly from you or indirectly for the use of the services offered by the community and is only used for the purposes that are or will be brought to your attention.

D. What is the basis for the legitimacy of our treatments?

The Metropolis relies on the following legitimate bases for processing Personal Data:

• A public service mission

The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

This could include, for example

- Collection of household and similar waste

- Drinking water and sanitation services

- Other...

§ Performance of the contract

The legal basis for the processing of the user's Personal Data that are collected for the purpose or in the context of the execution of a contract. In this respect, the user is obliged to provide the data necessary for its execution. If he/she does not provide such data, it will not be possible to fulfil the provisions of the contract. Such as :

- The execution of public contracts

- Housing aid

- Other...

§ Legal obligations

The processing of your Personal Data is based on the application of a legislative or regulatory rule, in connection with the authority's competences and the public service missions for which it is responsible.

This could include, for example

- Processing related to the administration of services: registers, deliberative assemblies, etc.

- Instruction of town planning authorisations

- Other...

§ Consent

The basis for the processing of Personal Data shall be the explicit consent of the user.

This could include, for example

- Management of the registration to Metropolitan services or applications

- Registration to receive personalised information tailored to the user's profile

- Other...

Withdrawal of consent for processing will, subject to legal and regulatory provisions, result in the deletion and erasure of Personal Data.

§ Legitimate interest

The basis of the processing of Personal Data shall be the legitimate interest of the Metropolis for processing that does not fall within its public service missions, such as

- Websites: to be able to guarantee that they remain safe, or to understand the needs, expectations and satisfaction level of users, to improve the local relationship through the services provided or to provide information on the life of the urban community or necessary for its inhabitants

- Communication of information: in the context of invitations to events organised by the Metropolis

- Others....

E. Personal Data of minors?

Some services may be used by minors. In this case, minors must obtain the consent of their parents or legal representatives.

F. To whom may your Personal Data be disclosed?

Your data may be transmitted in the context of the services provided:

• To internal departments of the Metropolis, including the directorates in charge of the execution of the subscribed services

• To external service providers such as technical service providers, including subcontractors, who undertake to comply with the applicable legislation

• To institutional or private partners or authorised third parties in compliance with the applicable regulations

G. Can your Personal Data be transferred outside the European Union?

The Metropolis carries out all the processing of your Personal Data on the territory of the European Union (EU).

However, for certain specific services, the Metropolis may use subcontractors established outside the EU. Certain Personal Data may then be communicated to them for the strict needs of their missions. In this case, in accordance with the regulations in force, the Metropolis requires its subcontractors to provide the necessary guarantees for the supervision and security of these transfers, in particular by signing the European Commission's standard contractual clauses.

H. How long does the Metropolis keep your Personal Data?

The length of time your Personal Data is retained depends on the public service provided and/or subscribed to and the related regulatory obligations.

The Metropolis undertakes not to keep your Personal Data beyond the period necessary for the service provided and therefore for your use of the service, plus the period of retention imposed by the rules applicable to legal prescription.

Where appropriate, information on the duration will be provided to you as part of the information obligations related to the specific implementation of each processing operation.

I. Is your Personal Data protected?

The Metropolis undertakes to take all measures to ensure the security and confidentiality of Personal Data and in particular to prevent them from being damaged, deleted or accessed by unauthorised third parties.

Furthermore, in the event of a security breach affecting your Personal Data (destruction, loss, alteration or disclosure), the Metropolis undertakes to respect the obligation to notify the CNIL of any Personal Data breaches within 72 hours.

J. What are your rights regarding your Personal Data?

You may at any time exercise the rights provided for in the current regulations applicable to personal data, subject to the basis of each processing operation and to meeting the conditions:

§ Right of access : you can have access to your Personal Data processed by the Metropolis;

§ Right of rectification : you can update your Personal Data or have your Personal Data processed by the Metropolis rectified;

§ Right of opposition : you can express your wish not to receive any further protocol or territorial marketing communications from the Metropolis or request that your Personal Data no longer be processed;

§ Right to erasure : you may request the deletion of your Personal Data;

§ Right to limitation : you can request the suspension of the processing of your Personal Data;

§ Right to portability : you can ask the Metropolis to recover your Personal Data in order to dispose of them.

When subscribing to a public service or collecting your Personal Data, you are given the address (postal and/or electronic) to which you can send your request to exercise your rights. All requests must be accompanied by proof of identity.

The Metropolis undertakes to respond to your requests to exercise your rights as soon as possible, in any event within the legal time limits and insofar as the exercise of this right does not prejudice the performance of the contract or compliance with legal and regulatory obligations.

K. The Data Protection Officer of Perpignan Méditerranée Métropole

The appointment of a Data Protection Officer demonstrates the Metropolis' commitment to the protection, security and confidentiality of its users' Personal Data.

You can contact the Data Protection Officer at the following e-mail address dpo@perpignan-mediterranee.org

Or to the following postal address Perpignan Méditerranée Métropole 11, bd Saint-Assicle - BP 20641 - 66006 Perpignan Cedex

If, after contacting us, you feel that your rights to data protection have not been respected or that the systems implemented do not comply with the data protection rules, you can submit a complaint to the CNIL www.cnil.fr

L. GLOSSARY

Each term beginning with a capital letter has the meaning given below.

• "Privacy and Data Protection Policy" and "Policy" means this Policy describing the measures taken for the processing, use and management of your Personal Data and your rights as a data subject.
• "Personal Data" means any information relating to you that directly or indirectly identifies you.
• "Processing" means any operation or set of operations applied to your Personal Data.
•  "Data Controller": Refers to the President of the Metropolis who processes your Personal Data.
• "Personal Data Breach" means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to your Personal Data.
• - Recipient" means the department or company that receives communication and may access your Personal Data.