Object

This policy is established by Barestho SRL, located at Avenue de la Bourgogne, 96, 7700 Mouscron, registered under registration number 0740.454.745 (hereinafter referred to as «the data controller").

The purpose of this policy is to inform visitors of the website hosted at www.barestho.com (hereinafter referred to as the «website») about how data is collected and processed by the data controller.

This policy is part of the data controller's desire to act with full transparency, in compliance with its national provisions and with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the «General Data Protection Regulation»).

The data controller pays particular attention to the privacy of its users and therefore undertakes to take the necessary reasonable precautions to protect personal data collected against loss, theft, disclosure or unauthorised use.

«Personal data» is defined as any personal data relating to the user. This means any information which allows them to be identified, directly or indirectly, as a natural person. If the user wishes to respond to any of the practices described below, they can contact the data controller at the postal or email address specified in the «contact details» section of this policy.

What data do we collect?

The data controllers collect and process the following personal data, in accordance with the terms and principles described below:

Its domain (automatically detected by the controller's server), including the dynamic IP address.

• All information concerning the pages that the user has viewed on the website.
• Any information that the user has provided voluntarily, for example by completing the contact form.
• The data controller may also collect non-personal data. This data is classified as non-personal data because it does not allow for the direct or indirect identification of a particular person. It may therefore be used for any purpose, for example to improve the website, the products and services offered or the advertisements of the data controller.

If non-personal data were to be combined with personal data, such that the identification of individuals concerned by such data would become possible, this data would be treated as personal data until such time as the link to a particular person is impossible to re-establish.

Collection methods

The data controller collects personal data when the user completes the contact form.

Purpose of processing

Personal data is collected and processed solely for the purposes mentioned below: 

• Ensure the management and control of the delivery of services offered.
• Dispatch and tracking of orders and invoices.
• Sending promotional information on the products and services of the data controller.
• Sending promotional material.
• Answer the user's questions.
• To carry out statistics.
• Improve the quality of the data controller's website and products and services.
• To transmit information about new products and services from the data controller.
• For the purpose of commercial prospecting.

The data controller may carry out processing that is not yet provided for in this policy. In such cases, they will contact the user before re-using their personal data in order to inform them of the changes and give them the opportunity, if applicable, to refuse such re-use.

Legitimate interests

Certain processing activities carried out by the controller are based on the legal basis of its legitimate interests. These legitimate interests are proportionate in relation to the respect of the user's rights and freedoms. If the user wishes to be informed of the details of the purposes based on the legal basis of legitimate interests, they are advised to contact the controller (see section on «Contact details»).

Shelf life

In general, the data controller shall only retain personal data for the period reasonably necessary for the purposes pursued and in accordance with legal and regulatory requirements.

A client's personal data is kept for a maximum of 10 years after the end of the contractual relationship between this client and the data controller.

At the end of the retention period, the data controller shall take all appropriate measures to ensure that personal data has been rendered unavailable and inaccessible.

Application of rights

For all rights set out below, the data controller reserves the right to verify the identity of the user for the application of the rights set out below.

This request for further information will be made within one month of the request being submitted by the user.

Data access and copying

The user can obtain written communication or a copy of their personal data collected, free of charge.

The controller may charge a reasonable fee based on administrative costs for any further copies requested by the data subject. Where the data subject makes the request by electronic means, the information shall be provided in an electronic form of common use, unless otherwise requested by the data subject.

Unless an exception is provided for under the General Data Protection Regulation, a copy of their data will be communicated to the user no later than one month after receipt of the request.

Right to rectification

The user may obtain, free of charge, as soon as possible and at the latest within one month, the rectification of their personal data that is inaccurate, incomplete or irrelevant, as well as have incomplete data completed.

Barring any exceptions provided for by the General Data Protection Regulation, requests to exercise the right to rectification will be processed within one month of their submission.

Right to object to processing

The user may, at any time, for reasons relating to their particular situation, object free of charge to the processing of their personal data when:

• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

The data controller may refuse to implement the user's right to object when it establishes the existence of compelling and legitimate grounds justifying the processing, which override the user's interests or rights and freedoms, or for the establishment, exercise or defence of legal claims. In the event of a dispute, the user may lodge a complaint in accordance with the «Complaint and Grievance» section of this policy.

The user may also, at any time, object, without justification and free of charge, to the processing of personal data concerning them when their data is collected for commercial prospecting purposes.

Where personal data are processed for scientific or historical research purposes or for statistical purposes in accordance with the General Data Protection Regulation, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Unless an exception is provided for under the General Data Protection Regulation, the data controller is required to respond to the user's request as soon as possible and at the latest within one month, and to provide reasons for their decision when they intend not to grant such a request.

Right to restriction of processing

The user can obtain the restriction of the processing of their personal data in the following cases:

• When the user contests the accuracy of data and only for the period it takes for the controller to verify it.
• Where processing is unlawful and the data subject prefers restriction of processing to erasure.
• When, although no longer necessary for the purposes of the processing, the user needs it for the establishment, exercise or defence of their legal rights.
• During the time necessary to examine the grounds for an objection submitted by the user, in other words the time taken by the controller to verify the balance of interests between the legitimate interests of the controller and those of the user.

The controller shall inform the user when the restriction on processing is lifted.

Right to erasure (right to be forgotten)

The user may obtain erasure of personal data concerning them, when one of the following grounds applies:

The data is no longer necessary for the purposes of processing.

• The user has withdrawn their consent for their data to be processed and there is no other legal basis for the processing.
• The user objects to the processing and there is no overriding legitimate ground for the processing and/or the user exercises their specific right to object to direct marketing.
• Personal data has been unlawfully processed.
• Personal data must be erased to comply with a legal obligation under Union or Member State law to which the controller is subject.
• Personal data has been collected in the context of the provision of information society services aimed at children.

However, data erasure does not apply in the following cases:

• When processing is necessary for the exercise of the right to freedom of expression and information.
• When processing is necessary to comply with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• When processing is necessary for reasons of public interest in the area of public health.
• When processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, and if the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing.
• When processing is necessary for the establishment, exercise or defence of legal claims.

Unless an exception is provided for by the General Data Protection Regulation, the controller shall respond to the user's request without undue delay and at the latest within one month and shall provide reasons for its decision when it intends not to comply with such a request.

Right to data portability«

The user may at any time, request to receive their personal data free of charge in a structured, commonly used and machine-readable format, in particular for the purpose of transmitting it to another controller when the processing of data is carried out using automated processes and when the processing is based on the user's consent or on a contract concluded between the latter and the controller.

Under the same conditions and according to the same terms, the user has the right to obtain from the data controller that personal data concerning them be transmitted directly to another data controller, provided that this is technically feasible.

The right to data portability shall not apply to processing which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Data recipients and disclosure to third parties

The recipients of the data collected and processed are, in addition to the data controller itself, its agents or other subcontractors, its carefully selected business partners, located within the European Union, who collaborate with the data controller in the context of marketing products or providing services.

In the event that data is disclosed to third parties for direct marketing or commercial prospecting purposes, the user will be informed beforehand so that they can choose to accept the transfer of their data to third parties.

Once this transfer is based on the user's consent, they may withdraw their consent for this specific purpose at any time.

The data controller shall comply with the applicable legal and regulatory provisions and shall, in all cases, ensure that its partners, employees, subcontractors or other third parties with access to this personal data comply with this policy.

The data controller shall disclose the user's personal data if a law, legal process, or public authority order makes such disclosure necessary.

No personal data is transferred outside the European Union by the data controller.

Security

The data controller shall implement appropriate technical and organisational measures to ensure a level of security of processing and of the data collected that is proportionate to the risks presented by the processing and the nature of the data to be protected, taking the risk into account. The controller shall consider the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of users.

The data controller always uses encryption technologies that are recognised as the industry standards within the IT sector when transferring or receiving data on the website.

The controller has implemented appropriate security measures to protect against and prevent the loss, misuse, or alteration of information received via the website.

In the event that the personal data controlled by the controller is compromised, the controller shall act quickly to identify the cause of this breach and take appropriate remedial measures.

The data controller will inform the user of this incident if the law requires them to do so.

Claim and complaint

If the user wishes to object to any of the practices described in this policy, they are advised to contact the data controller directly.

The user can also lodge a complaint with their national supervisory authority, the contact details for which can be found on the European Commission's official website: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.

In addition, the user has the option to lodge a complaint with the competent national courts.

Contact details

For any questions and/or complaints relating to this policy, the user may contact the data controller: 

• Email: contact@barestho.com
• Post: Rue Albert Libiez, 59 to 7340 Pâturages

Modification

The data controller reserves the right to amend the provisions of this policy at any time. Amendments will be published directly on the data controller's website.

Governing law and jurisdiction

This policy is governed by the national law of the data controller's principal place of business.

Any dispute relating to the interpretation or execution of this policy shall be submitted to the courts of this national law.

This version of the policy dates from 1 December 2019.