Privacy & cookies policy

Latest amendment: 06/03/2021

Preamble:

Personal data is all information on the basis of which you can be identified or are identifiable, such as your name, your identification number, your location data, an on-line identifier, one or more factors which may be characteristic of the physical, physiological, genetic, mental, economic, cultural or social identity of you as an individual.

“Processing” is any operation or set of operations applied to data, whether or not carried out with the aid of automated processes, from collection through to the erasure of the data.

The aim of this privacy & cookies policy is to inform visitors to the Site (available via the link https://www.tollet.com/, hereinafter “the Site”) and all persons concerned (hereinafter “the persons concerned“) by the processing of their personal data carried out by the société anonyme TOLLET (public limited company referred to in 1.1 of this policy as data controller) of the nature of the processing operations carried out and of their rights.

Table of contents

• Article 1: The data controller
• Article 2: Application and communication of the data by the persons concerned 
• Article 3: Data processed, legal bases and purposes of the processing operations
• Article 4:  Data retention period
• Article 5: Transfer of data
• Article 6: Technical and organisational security measures
• Article 7: Rights of the persons concerned
• Article 8: Cookies 
• Article 9: Making contact and complaints

Article 1: The data controller and scope of application

1. The data controller (as defined in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/CE – hereinafter “GDPR”) is the société anonyme (public limited company) TOLLET, the registered office of which is situated at Rue des Fripiers, 36, 1000 Brussels, Belgium, and which is known on the Belgian business database, La Banque Carrefour des entreprises, under the number BE 0435.980.257 (hereinafter “the data controller”).

2. The data controller processes the personal data of the persons concerned in accordance with the GDPR and the applicable national provisions such as the Act of 30th July 2018 on the protection of natural persons with regard to the processing of personal data.

3. The present privacy and cookies policy informs the persons concerned of the nature of the personal data processed by the data controller and of the purpose and legal basis thereof and of their rights. 

4. The persons concerned understand and accept that the present policy applies to them in their relations with the data controller or when they visit the Site and also understand and accept that this policy cannot take the place of the confidentiality policies of the commercial partners of the data controller and may be updated at any time. (We always give the latest amendment date on the first page.)

Article 2: The data communicated by the persons concerned 

1. By visiting the Site or by contacting us, the persons concerned who communicate personal data there by sending us a request by email, by sending us a letter or via any contact request in written or electronic form (for example, by subscribing to our newsletter or by asking to be alerted to new products or interesting offers being brought out) acknowledge that they are wholly responsible for the accuracy of the data which they provide.

2. If personal data regarding third parties is provided in this context, the persons concerned guarantee to the data controller that they have, beforehand, obtained all the necessary consents from the relevant third parties to communicate that data. If this should not be the case, the persons concerned accept that they are wholly responsible for any direct or indirect loss or detriment suffered by those third parties or by the data controller as a result of those unauthorised communications and they exonerate the data controller from any proceedings or discussion in this regard. 

Article 3: Data processed, legal bases and purposes of the processing operations

• Via functional cookies:

Data collected: When you visit the Site without registering (via functional cookies only): the data controller may have access with your IP address, search terms and, possibly, the type of errors encountered. 

Purpose & legal basis of processing: The basis for maintaining and improving the Site is the legitimate interests of the data controller in improving the platform and its services continuously. (Article 6,1,f of the GDPR).

• Via analytical cookies:

Data collected: The IP address of the users may be collected by the data controller in order to produce semi-anonymous statistics.

Purpose & legal basis of processing: The data controller uses certain statistics cookies from Google Analytics in order to gather anonymous information regarding the use of its services. The data controller has access to that data in the form of semi-anonymous statistics.

Purpose & legal basis of processing: The data controller always requests the consent of the persons concerned before implementing analytical cookies via its cookie banner (Article 6,1, a of the GDPR). The use of analytical cookies is also justified by the legitimate interest of the company/data controller in optimising the performance of the Site and fulfilling its corporate objective.

For more information on the way in which Google processes your data, please see Google’s privacy & cookies policy: https://marketingplatform.google.com/about/analytics/terms/fr

• In the context of making contact (Contact Tollet — Expertise in watchmaking and jewellery since 1902) :

Data collected: surname, first name, e-mail address, e-mail content.

Purpose & legal bases of processing: In order to enable the data controller to reply to a request for information initiated by the person concerned. 

The collected data reflects the legitimate interest of the data controller in replying to the requests of its existing/potential customers and is also justified on the basis of the execution of pre-contractual measures initiated by the person concerned him/herself. (Article 6,1, b and f of the GDPR).

• Management of customer and supplier data;

Data collected: surname, first name, e-mail address and, possibly, telephone number of the customer’s or supplier’s contact person.

Purpose & legal bases of processing: The processing of the data necessary for the fulfilment of contractual or pre-contractual obligations entered into between the customer or the supplier and the data controller with the aim of keeping the customer and supplier databases up to date. (Article 6,1, b of the GDPR).

This processing is also justified on the basis of legal obligations by which the data controller is bound (notably accounting or fiscal obligations). (Article 6,1,c of the GDPR).

• Sending a newsletter (“Stay informed” form available on the page: Watches and jewellery, a company which unites quality, styles and budgets (tollet.com)) :

Data collected: surname, first name, e-mail address.

Purpose & legal basis of processing: The persons concerned agree to receive marketing communications and personalised advertising from the data controller on the basis of the explicit, specific and free consent. (Article 6,1, a of the GDPR).

Article 4 – Data retention period

• Via functional cookies

This type of cookie is always deleted at the end of a session.

• Via analytical cookies

The data controller does not keep personal data via this type of cookie, only semi-anonymous statistics. The IP addresses of the users/visitors are kept according to the periods stated in Google’s privacy & cookies policy, available via the following link: https://marketingplatform.google.com/about/analytics/terms/fr.

• In the context of making contact (Contact Tollet — Expertise in watchmaking and jewellery since 1902) :

6 months after the latest contact made if no order is pending.

• Management of customer and supplier data;

For the term of the contract and of the legal, accounting and fiscal obligations.

• Sending a newsletter (“Stay informed” form available on the page: Watches and jewellery, a company which unites quality, styles and budgets (tollet.com)) :

Until the person withdraws his/her consent.

Article 5 – Transfer of data

1. The data controller may give its colleagues or employees access to the personal data that it processes. They are contractually bound by a confidentiality obligation and obliged to process your data in accordance with its instructions. 

2. The data controller may also, in certain cases, use the services of data processors (service providers) who are bound by a confidentiality obligation and who process your data in accordance with the instructions of the data controller, having adopted appropriate organisational and technical security measures.

3. In this scenario, your data could be communicated to or stored with a data processor based in a country which is not a European Union member State. Such communication or transfer outside of the European Union will take place only if a so-called adequacy decision applies to the country concerned and if sufficient contractual guarantees are provided by the data processor in question regarding the security of the processing operations. Moreover, pursuant to Article 49, 1, b) of the GDPR, in the absence of an adequacy decision or of binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation could take place on the basis of the performance of a contract between the person concerned and the data controller or the implementation of pre-contractual measures taken at the request of the person concerned.

4. In the event of reorganisation or the total or partial transfer of the business activities by the data controller or in the event of bankruptcy, the data controller may transfer your personal data that it processes to new entities or new third parties carrying out all or some of the professional activities of the data controller.

5. If applicable, the data controller will make reasonable attempts to inform the persons concerned before their data is transferred to third parties. However, the persons concerned understand that this is not technically or commercially feasible in all situations. 

6. It can happen, in exceptional cases, that the data controller is compelled to disclose personal data by virtue of a legal injunction or in order to comply with mandatory regulations or legislation. If applicable, the data controller will make reasonable attempts to inform the persons concerned beforehand, subject to the limits provided for by law.

7. The data controller will not, under any circumstances, sell the personal data that it processes, nor will it hire out that data or make it commercially available to third parties, subject to what is provided for above or, if applicable, on the basis of your prior consent.

Article 6 – Technical and organisational security measures adopted by the data controller

1. The data controller has developed  suitable security measures at technical and organisational level to avoid the destruction, loss, falsification, amendment, unauthorised access or accidental disclosure to third parties of your personal data (as well as any other unauthorised processing).

2. As far as your use of the Site is concerned, the persons concerned agree to follow, at all times, the security instructions and the general terms and conditions of use provided by the data controller. The persons concerned also agree, in so far as possible, to prevent any unauthorised access to their computer, personal session or to their email box, or to their personal mobile devices such as mobile phones, smartphones, tablets, etc., or any unauthorised access based on their IP address and their identifying data. 

Article 7 – Rights of the persons concerned

• Access, rectification and erasure of your data:

The persons concerned have the right to request access to their data, rectification of incorrect or incomplete data or, subject to a legitimate reason, the erasure of their data (processed by the data controller). 

Such an erasure of data is not possible if it is necessary to process the data for the justification of or defence in the context of legal action.

The persons concerned acknowledge that, in the event of a request to erase their personal data, the data controller might no longer be able to provide them with certain products and services. 

• Restriction of processing:

The persons concerned have the right to request the restriction of a processing operation, in particular if they dispute the accuracy of the data, if the processing is unlawful and they object to the erasure of the data.

The persons concerned acknowledge that, in the event of refusal to give their personal data, (if applicable), the data controller might no longer be able to provide them with certain products and services.

• Portability of the data:

The persons concerned have the right to obtain the personal data which concerns them (or to ask the data controller to transmit that data to another data controller) in a structured, commonly used and machine readable format. 

Such receipt or transmission is not possible if it is necessary to process the data in order to bring or defend a legal action.

• Automated decisions and profiling:

The persons concerned have the right not to be bound by individual decisions based on automated processing if that results in significant legal or personal consequences for them. The persons concerned may also object to being the subject of profiling.

Third-party platforms such as Facebook may, possibly, create profiles on the basis of the data collected via the cookies implemented on the Platform. In this case, it is incumbent upon the persons concerned with the Site to contact the relevant platforms.

• Right to object and withdraw consent:

The persons concerned may object to the processing of their personal data on serious and legitimate grounds. 

The persons concerned always have the right to object to the use of their personal data for direct marketing purposes. If applicable, the persons concerned do not have to give any reason.

In so far as a processing operation is based on their prior consent, then the persons concerned have the right to withdraw that consent by contacting the data controller or by clicking on the opt-out link provided to that end.

• Exercising your rights:

The persons concerned with the Site may exercise their rights by contacting the data controller to that end either by e-mail to the e-mail address info@tollet.com

or by letter posted to the registered office of the data controller or by browsing in the “Contact us” section of the Site. (Attaching a scan of your identity card, which is used solely for the purpose of identifying you).

The data controller will inform you of its reply in writing, within 30 days of receipt of your request and may, depending on the circumstances, request a further period of up to two months after the expiry of the first 30-day period.  (Article 12.3 of the GDPR)

Article 8 – Cookies 

1. A “cookie” is a small file sent by the server of the data controller and installed on the hard disc of your computer. The information that it contains may be sent back to our servers or those of relevant third parties during a subsequent visit.

2. There are different categories of cookies:

Functional cookies are cookies which ensure the smooth-running of all the parts of a Website. These are, for example, cookies which are essential for the protection of the Website, cookies which are necessary to ensure the correct load balancing (that is to say, the distribution of requests to a server over a certain number of computers) and cookies allowing for adaptation of the user interface (notably the choice of language and the display of search results). We may place these cookies without your consent for that purpose.

Non-functional cookies are placed for statistical, social and commercial purposes and do not meet the necessary conditions to be exempted from the obligation for consent. Your explicit consent is required for the placement of these cookies.

3. The Site of the data controller uses exclusively the following cookies: 

           Functional cookies:

Name	Category	Period	Purpose
PHPSESSID	Functional	Period of browsing.	Used to retrieve or define the session identifier for the current session.
_auth	Functional	1 day	Used when a member wishes to log in by ticking the “remember me” box.
_AfflD	Functional	30 days	Used to register the identifiers of the affiliated members in the context of a membership campaign, activated only when someone clicks on a link containing the affiliated member’s identifier.

           Non-functional cookies:

Name	Category	Period	Purpose
_ga	Analytical	1 year	Counts page views in order to produce anonymous statistics.
_gat	Marketing	1 hour	Measures engagement.
_gid	Analytical	1 day	Counts page views in order to produce anonymous statistics.

Article 9. Making contact and complaints

1. The persons concerned may also (if they consider that their rights are not being respected by the data controller) lodge a complaint with the Data Protection Authority.

Contact details:
Rue de la presse, 35, 1000, Brussels
Tel: +32 (0)2 274 48 00
contact@apd-gba.be

2. A complaint to the Data Protection Authority is not prejudicial to bringing (if applicable) proceedings before a civil court (in the event of losses or detriment suffered by the person or persons concerned as a result of an infringement of their rights).