Step into one of our 200 galleries. Your iris discovery is complimentary.

Iris Galerie
Book an appointment

Privacy policy

This translation is provided for convenience; the French version is the legally binding reference.

Data Protection Policy - (EU Regulation 2016/679 of 27 April 2016 (GDPR) and Act No. 78-17 of 6 January 1978)

PREAMBLE:

This data protection policy is intended to inform Data Subjects about the processing of their personal data in the context of automated and non-automated processing, in accordance with the provisions of Act No. 78-17 of 6 January 1978 and EU Regulation 2016/679 of 27 April 2016 (hereinafter the "GDPR") and the other legal and regulatory provisions in force (hereinafter the "Applicable Regulations") relating to the protection of personal data.

The terms "Personal Data", "Data Controller", "Processor", "Processing", "Data Subject", "Personal Data Breach" and "Supervisory Authority" are defined as they are defined in Article 4 of the GDPR.

THE MAIN CATEGORIES OF PERSONAL DATA SUBJECT TO PROCESSING

The personal data collected is as follows:

i. Before the order: capture of prospects' iris (test, demonstration),

ii. At the time of the order:

a. Identification data (surname, first name, gender),

b. Iris captures,

c. Contact data (postal address, email address, telephone numbers)

iii. During the contractual relationship: Capture of the iris of end customers, data relating to the contractual and commercial relationship between the Data Subjects and IRIS GALERIE (e.g. subscription category, purchase history),

iv. When visiting a website of the IRIS GALERIE network; data collected by means of cookies, trackers or equivalent technical means (for more information on the management of cookies and trackers, please refer to the information notice on the management of cookies).

LEGAL INFORMATION FOR DATA SUBJECTS

The purpose of this document is in particular to provide Data Subjects with the required legal information, which is as follows:

(a) Identity and contact details of the Data Controller of personal data

The identity and postal contact details of the Data Controller of personal data are as follows:

- the company IRIS GALERIE, a simplified joint-stock company registered with the Paris Trade and Companies Register under number 897514618, whose registered office is at 35 rue de l'Annonciation, 75016 Paris (hereinafter "IRIS GALERIE");

(b) Contact details of the Data Protection Officer

The contact details of the Data Protection Officer are as follows:

- Maître Pascal Alix, partner lawyer of AARPI VIRTUALEGIS, 5 rue Jean-Baptiste Dumas, 75017 Paris; email address: dpo.irisgalerie@virtua-legis.com.

(c) Purposes of the Processing of personal data

The purposes of the Processing for which the personal data is intended are as follows:

  • (i) identification of and contact with the Data Subjects (end customers),
  • (ii) identification of the Contact Persons within the service provider entities and members of the IRIS GALERIE network,
  • (iii) provision of contractual services,
  • (iv) administration of contracts and customer accounts,
  • (v) management of relations with contacts at the service providers and members of the IRIS GALERIE network,
  • (vi) sending of information and/or service proposals to the Data Subjects.

(d) Legal bases for the Processing

The legal bases for the Processing are, depending on the Processing:

  • (i) the necessity of carrying out pre-contractual measures taken at the request of end customers before potentially benefiting from the contractual services (tests, demonstrations),
  • (ii) the necessity of performing a contract concluded with the entities that are members of the IRIS GALERIE network and the end customers so that the Data Subjects can benefit from the contractual services,
  • (iii) the necessity, for IRIS GALERIE, of pursuing its legitimate interest, in particular to administer the relationship with the entities that are members of the IRIS GALERIE network and the end customers,
  • iv) the necessity, for IRIS GALERIE, of complying with the legal obligations to which it is subject, in particular with regard to the exercise of rights and tax and accounting obligations.

(e) Recipients of the personal data

The recipients of the personal data processed are:

  • the members of IRIS GALERIE staff in charge of the contractual services and the administration of relations with the entities that are members of the IRIS GALERIE network and with the end customers,
  • the members of staff of the processor and non-processor service providers of IRIS GALERIE involved in carrying out these services such as, for example, production laboratories, carriers and IT service providers.
  • the members of staff of the entities that are members of the IRIS GALERIE network, joint or independent controllers.

(f) Transfer of personal data outside the European Economic Area (EEA)

Data Subjects are informed that the Data Controller may, where applicable, in particular where a service provider is located outside the EEA, transfer personal data to a third country covered by an adequacy decision issued by the European Commission; if the recipient country is not covered by an adequacy decision, the transfer may only be carried out on the condition that appropriate safeguards are put in place and that the Data Subjects of the Processing of personal data have enforceable rights and effective legal remedies, under the conditions of the Applicable Regulations and in particular Articles 46 to 49 of the GDPR.

(g) Retention period of personal data

The retention periods of the personal data of Data Subjects vary according to the purpose of the Processing and according to the nature of the relationship (prospect who has never contracted or customer).

The table below sets out the main retention periods of the personal data relating to the Data Subjects:

Categories of data

Purposes

Retention periods

Prospects

All personal data (including identification and contact data)

Creation and use of a prospect file

3 (three) years from the last contact with the prospect

Customers and former customers

Identification and contact data

Management of customer accounts, login credentials and passwords, orders, invoicing and payments. Sending of information on the evolution of offers

For the entire duration of the contractual relationship (as long as the Data Subjects have not expressed their intention to no longer have their personal data retained), within a maximum limit of 3 (three) years from the last order of services and/or documents placed by the Data Subjects.

Data relating to the performance of the contract

Management of the customer account, orders, invoicing and payments.

10 years from the last order of services and/or documents placed by the Data Subjects

Iris captures

Production of the works

24 hours in active database

Data relating to the exercise of a right by a Data Subject

Performance of the obligations of Articles 15 et seq. of the GDPR

The data is retained for the calendar year of the request, plus five years.

Contacts at processors and non-processor partners

Identification and contact data

Management of customer accounts, orders, invoicing and payments. Sending of information on the evolution of offers

for the entire duration of the contractual relationship (as long as the Data Subjects have not expressed their intention to no longer have their personal data retained), within a maximum limit of 3 (three) years from the last contact in the context of the last contractual relationship.

(h) Rights of Data Subjects that may be exercised with the Data Controller (as identified above)

In view of the legal basis of the Processing, including in particular that of consent, the data subject has the following rights, under the conditions provided for by the Applicable Regulations:

  • access to their personal data;
  • rectification of the personal data when it is inaccurate or incomplete;
  • erasure thereof, in particular when this data is no longer necessary with regard to the purpose of the Processing or when the data subject has withdrawn their consent or when the Processing is unlawful, subject to the legal retention obligations;
  • a restriction of the Processing of their personal data when the accuracy of the data is being verified following a challenge by the data subject, when the Processing is unlawful and the data subject objects to the erasure of the data and instead requests the restriction of its use, or when the Data Controller no longer needs the personal data for the purposes of the processing but it is still necessary for the data subject for the establishment, exercise or defence of legal claims;
  • the objection of the data subject to the Processing of their personal data on grounds relating to their particular situation;
  • the objection of the Data Subjects at any time to the Processing of their personal data for marketing purposes, including profiling;
  • the portability of their personal data under the conditions of the Applicable Regulations, which provides in particular that the Data Subjects of a Processing of personal data have the right to receive the personal data concerning them which they have provided to the Data Controller, in a structured, commonly used and machine-readable format, and have the right to have this data transmitted to another Data Controller;
  • the right to define directives relating to the fate of their personal data after their death;

The exercise of the rights as identified in this point (h) is carried out by the data subject with the Data Controller (as identified above) by means of a request made by them or by a duly authorised person, addressed to the Data Protection Officer of IRIS GALERIE at the following email address: gdpr@irisgalerie.com.

(i) Complaint to the CNIL

Data Subjects may, in particular if they consider that the responses provided by the Data Controller to their questions concerning the processing of their personal data are not satisfactory, lodge a complaint with the supervisory authority, namely the French Data Protection Authority (CNIL): 3 Place de Fontenoy - TSA 80715 - 75334 Paris 07.

(j) Mandatory nature of the provision of certain personal data

The exercise by a data subject of their right to object to the processing of certain of their personal data (and in particular location and/or contact data) on grounds relating to their particular situation may prevent the conclusion of the contract. The subsequent exercise of the same right may, where applicable, prevent access to additional contractual services.

(k) Automated decision-making

No automated decision-making within the meaning of the Applicable Regulations is carried out using the personal data collected.

(l) Possible further Processing of personal data

In principle, IRIS GALERIE does not carry out any further processing of personal data for a purpose other than that for which the personal data was collected. However, in the event that processing is carried out for one or more purposes, not incompatible, other than those initially determined, the Data Controller shall provide the Data Subjects in advance with the required information regarding such purpose(s) and, if necessary, obtain their prior consent.