Personal Data Policy

Home > Personal Data Policy

This page sets out the Personal Data Policy.


Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of their personal data and the free movement of such data, also known as the General Data Protection Regulation (hereinafter the ‘GDPR’), establishes the legal framework applicable to the processing of personal data.

The GDPR strengthens the rights and responsibilities of data controllers, subcontractors, data subjects and data recipients. In particular, it requires data subjects to be informed of their rights in a concise, transparent, understandable and easily accessible manner.

In the course of its business, Cité Gourmande, whose head office is at Agropole – ZAC II – BP 113 – 47931 Agen Cedex 9, registered in the RCS of Rennes under number 423 697 440 (hereinafter the ‘Company’), and publisher of the website ‘’, processes the personal data described below.

We attach great importance to your personal data, and through this document we provide you with all the necessary information so that you know what we are doing with your personal data, and so that you are aware of the rights that you can argue at any time.

For a proper understanding of this policy, it is stated that:

  • ’contact(s)’ or ‘applicants’: natural or legal persons connected to the Company (applicants, prospects, liaisons, partners, etc.);
  • ‘Personal data’ means any information concerning contacts or customers (i.e. you) which makes you directly or indirectly personally identifiable, in particular your name, first name, address, telephone number, email address, bank details, identifier, password, cookies, IP address and other information that allows your identification and that you make available to us at any time;
  • ’data controller’: natural or legal person who determines the purpose and means of processing the personal data defined in this policy. Under the latter, the data controller is the Company;
  • ’subcontractor’: natural or legal person who processes personal data on behalf of the data controller. In practice, these are service providers with whom the Company works and who have an interest in the personal data it processes;
  • ’data subjects’: persons who can be directly or indirectly identified. Under this policy, they are classed as ‘applicants’ or ‘contacts’;
  • ’recipients’: natural or legal persons who receive personal data. Data recipients may therefore be both internal recipients and external bodies.


To meet its needs, the Company processes personal data relating to its applicants and contacts. The purpose of this policy is to meet the Company’s requirement to provide information and to formalise the rights and responsibilities of applicants and contacts with regard to the processing of their personal data. This policy applies only to processing for which the Company is responsible. The processing of personal data may be managed directly by the Company or through a specifically designated subcontractor. This policy is independent of any other document that may apply to the contractual relationship between the Company and its applicants and contacts (cookies, business or partnership contracts, etc.).


Processing is carried out by the Company concerning customer and contact data only if it relates to personal data collected by or for the services offered on the Site or on the Cite Gourmande mobile applications, or for branches and franchisees of the Cité Gourmande brands – which sell you the products you buy on the Site on the Cité Gourmande mobile applications – or processed in connection with these services

We may collect your Personal Data when:

  • you visit website;
  • you send a complaint, ask a question or send us any other remark;
  • you provide us with your personal data on the Site or in any way whatsoever.

Any new treatment, modification or deletion of an existing treatment will be brought to the attention of customers and contacts.

The Company does not process sensitive data within the meaning of article 9 of the GDPR (i.e. all data that reveals racial or ethnic origin, political opinions, religious or philosophical convictions or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning the sexual life or sexual orientation of a natural person).

The Company does not make automated individual decisions.


Comments and questions to customer service


Identification: surname/first name/

Contact details: email address

TECHNICAL DATA (on the website)

Identification data (IP) if the comment or question is sent via the online form

Connection data (especially logs) if the comment or question is sent via the online form


Depending on the situation, the Company processes your data for the following purposes:

  • managing the relationship with the applicant or contact
  • process and resolve all your complaints or questions.
  • answering questions we are asked (by phone or online);
  • monitor, develop and improve the Site or our services;
  • meeting our administrative or legal responsibilities;


Processing operations are based on:

  • legitimate interest with regard to the ‘contact’ section..


The Company ensures that data can only be accessed by the following authorised internal or external recipients:

  • on a case-by-case basis and in accordance with the purpose of the processing: representatives and employees of the Company, entities of the Le Duff Group, linked with Cité Gourmande.
  • if necessary, employees of technical service providers of the Company involved in the operation of the website) and offical social media pages of the compagny.

Talking about thoses compagnies :

  • TALSION (web hosting)
  • Public bodies, exclusively to meet the legal obligations of the Company,
  • The auxiliaries of justice, the ministerial officers.

The Company ensures that its subcontractors comply with its obligations under applicable regulations. In addition, the Company reserves the right to conduct an audit of its subcontractors in order to ensure compliance with the provisions of the applicable regulations.

With the exception of the persons specified above, your personal data will not be communicated, transferred, leased or shared for the benefit of any third parties.


If an applicant wishes to fill in an application form for a franchised establishment located in a country outside the European Union, the Company may be required – if necessary as part of the review of this application – to transfer the personal data collected to recipients (within the meaning of article 9) located in the relevant country.

When the country concerned does not have an adequacy decision (which means its data protection level is equivalent to that in place in the European Union), the Company ensures as far as possible that the transfer is backed up by one of the following appropriate safeguard measures:

  • contractual clauses similar to those approved by the CNIL [French National Commission for Information Technology and Civil Liberties];
  • our adherence to an approved code of conduct;
  • compliance with a certification scheme certified by an approved body;
  • binding corporate rules approved by the CNIL.

You can obtain a copy of the guarantees in question by requesting it under the conditions defined below in Article 11.


The data storage period is determined by the Company in view of its legal and contractual constraints.

ProcessingPeriod of conservation
Customer Service Section3 years from the last activity

In general, the data making it possible to establish proof of a right or a contract, which must be kept for compliance with a legal obligation, will be kept for the period provided for by the law in force.

At the end of the period defined for each category of personal data processed, and subject to provisions permitting storage that is strictly necessary for the exercise of a right and proof of this right for the prescribed period applicable or pursuant to the legal requirements to which the Company is subject, the Company:

  • destroys personal data, or
  • stores this data in an irreversibly anonymised form, so that it no longer constitutes personal data within the meaning of the applicable regulations .

Applicants and contacts are reminded that the deletion or anonymisation of data is irreversible and that the Company is not able subsequently to restore it.



Applicants and contacts usually have the right to ask the Company to confirm whether or not their personal data has been processed.

Applicants and contacts also have the right of access.

Applicants and contacts have the right to request a copy of their personal data that has been processed by the Company. However, if an extra copy is requested, applicants and contacts may be required to reimburse the Company for this cost.

If applicants and contacts submit their request for a copy of their data electronically, the information requested will be provided to them in a commonly used electronic format, unless requested otherwise. 

Applicants and contacts are informed that this right of access does not apply to information or data that is confidential or for which the law does not authorise disclosure.


You can exercise this right through your usual point of contact, by default the Communications Department of the Company.

The Company may ask applicants and contacts to comply with requests to allow regular updating of the personal data it collects.

The Company may not be blamed for a lack of updates if the applicant or contact does not update their data.


Under the conditions defined by the texts, you also have applicable, in certain cases, a right to erasure (article 17 of the RGPD), a right of opposition (article 21 of the RGPD), right to limitation (article 18 of the RGPD), a right to portability (article 20 of the RGPD), the right to define directives relating to the fate of personal data after death (article 32 of the law of January 6, 1978 amended).


Applicants and contacts affected by the processing of their personal data are informed of their right to lodge a complaint with the supervisory authority, namely the CNIL in France, if they believe the processing of their personal data does not comply with European data protection regulations. Complaints should be sent to the following address:

CNIL – Complaints department: 3, place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07

Tel: +33(0)1 53 73 22 22


The request must be sent by mail to the address: or by post to the address : Cité Gourmande, service marketing – données personnelles, Agropole ZAC II, BP 113, 47931 Agen Cedex 9

Data subjects are informed that these are rights which can only be exercised by them. To meet this obligation, the Company will verify their identity. If a request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Company may: demand the payment of a reasonable fee which takes into account the administrative costs incurred in providing the information, carrying out communications or taking the action requested; or refuse to act on these requests.


Applicants and contacts are informed on every personal data collection form whether a response is mandatory or optional through the use of an asterisk.

If responses are mandatory, the Company explains to applicants and contacts the consequences of not providing a response.


The Company may present links to other websites. However, the Company is not responsible for the content or the information collection policies on these websites. If you visit third party websites, we recommend that you check their information collection and privacy policies. The Company accepts no responsibility to this regard. Please check these policies before submitting your personal data on these websites.


The Company is given the right by applicants and contacts to use and process their personal data for the purposes defined above.


It is the Company’s responsibility to define and implement the technical security measures, whether physical or logical, it deems appropriate to prevent the destruction, loss, alteration or unauthorised disclosure of data, whether accidentally or unlawfully.

These measures notably include:

  • the use of security measures for accessing the premises (closing offices, badges, etc.);
  • login and password for all our business applications;
  • management of authorisations for access to data
  • VPN for remote connections;
  • Security audits carried out regularly (penetration tests, etc.).

To achieve this, the Company may be assisted by any third party of its choice, as often as it deems necessary, to carry out vulnerability audits or intrusion tests.

In any case, in the event of changes to the means of ensuring the security and confidentiality of personal data, the Company commits to replacing them with higher-performing measures. No changes may lead to a lower level of security.

In the event that all or part of the processing of personal data is subcontracted, the Company commits to contractually imposing on its subcontractors security guarantees through technical measures to protect this data and adequate human resources.


In the case of a personal data breach, and unless the violation in question is not likely to pose a risk to your rights and freedoms, the Company commits to informing the CNIL under the conditions prescribed by applicable regulations.

If this breach poses a high risk to applicants and contacts and data has not been protected, the Company:

  • will inform the applicants and contacts affected;
  • will provide the applicants and contacts affected with the necessary information and recommendations.


The Company has a register of processing operations.


This policy may be changed or adjusted at any time in the event of changes to legislation, case law, CNIL decisions and recommendations or usage.

Any new versions of this policy will be brought to the attention of applicants and contacts by any means chosen by the Company, including electronically (by email or online, for example).