Updated on 09/01/2024

The French Environment and Energy Management Agency ("ADEME"), a public industrial and commercial establishment with its registered office located at 20, avenue du Grésillé 49000 Angers, attaches great importance to the protection of Personal Data that it collects and processes as a data controller in the course of its business activities.

Accordingly, the collection and Processing of Personal Data carried out by ADEME in connection with the operation of its business and the use of its products or services, its informational or communication websites, its databases, its web applications (which may require account creation and allow user/application interaction), and its mobile applications are governed by this data protection policy (hereinafter referred to as the "Policy").

All Personal Data Processing carried out within the framework of the accessible Services complies with the applicable regulations on personal data protection, and in particular the provisions of the French Data Protection Act ("Informatique et libertés") of January 6, 1978, as amended, and the General Data Protection Regulation (Regulation EU 2016/679) ("GDPR").

To ensure the proper application of these rules, ADEME has appointed a Data Protection Officer who serves as the primary contact for the French National Commission for Information Technology and Civil Liberties ("CNIL"). ADEME also implements appropriate internal procedures to raise awareness among its employees and ensure compliance with these rules throughout its organization.

The purpose of this Policy is to present to Data Subjects (as defined below):

  • The manner in which ADEME processes the Personal Data (as defined below) that it collects and that Data Subjects provide with their consent or on any other legal basis, notably to enable the provision of ADEME's Products or Services;
  • The rights of Data Subjects;
  • The potential recipients of a data transfer.

Data Subjects are therefore invited to read this Policy carefully to know and understand ADEME's practices regarding the Processing of Personal Data implemented by ADEME.

Definitions

Capitalized terms have the definitions provided below. Terms have the same definition whether used in the singular or the plural.

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Data Subject(s)" means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
  • "Products" means products provided by ADEME.
  • "Data Controller" means ADEME, which is the legal entity that, alone or jointly with others, determines the purposes and means of the processing.
  • "Services" means services provided by ADEME.
  • "Sites" means all web pages and resources accessible on the Internet.
  • "Processing" means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

What are ADEME's commitments regarding Personal Data protection?

ADEME undertakes to guarantee a high level of protection for the Personal Data of Data Subjects who use its Sites and other Products or Services, and of any other person whose Personal Data it processes.

ADEME undertakes to comply with the applicable regulations (in particular Articles 5 and 6 of the GDPR) for all Personal Data Processing it implements. More specifically, ADEME undertakes to respect the following principles:

  • Personal Data is processed lawfully, fairly, and in a transparent manner (lawfulness, fairness, transparency);
  • Personal Data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner that is incompatible with those purposes (purpose limitation);
  • Personal Data is kept adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed (data minimization);
  • Personal Data is accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate data, having regard to the purposes for which it is processed, is erased or rectified without delay (accuracy).

ADEME implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk inherent in its Processing operations, to meet regulatory requirements, and to protect the rights and Personal Data of Data Subjects from the design stage of the Processing operations.

Furthermore, ADEME contractually imposes the same level of Personal Data protection on its processors (service providers, suppliers, etc.).

Finally, ADEME undertakes to respect any other principle required under applicable regulations on Personal Data protection, specifically regarding the rights granted to Data Subjects, Personal Data retention periods, and obligations relating to cross-border transfers of Personal Data.

What categories of Personal Data are collected?

In connection with the use of its products or services as well as its websites, several types of Personal Data may be collected by ADEME.

Mainly, the collected data falls under the following categories:

  • Identification data: last name, first name, pseudonym, date of birth;
  • Contact data: landline or mobile phone number, postal address, email address.

Methods of collecting Personal Data

Data Subjects are likely to communicate their Personal Data to ADEME by various means, notably on the Sites during internet browsing and through the Products or Services, by filling out various collection forms, when subscribing to a newsletter, when creating an account, when submitting an application, during any contact with ADEME, or during any other transmission of Personal Data under other circumstances.

Processing Purposes and Legal Bases

The purposes of the Personal Data Processing carried out by ADEME are based on the following legal grounds: contractual performance, the consent of Data Subjects, ADEME's legal and regulatory obligations, its legitimate interest, or the performance of a public interest mission.

The purposes associated with each legal basis are listed below:

  • Based on the performance of pre-contractual measures taken at the request of Data Subjects and/or the performance of the contract they have entered into:
    • Management of the relationship between Site users and ADEME, including notably:
      • Creation of a user account;
      • Use of the sites and services;
      • Management of communications and follow-up of exchanges with users.
  • Based on the consent of Data Subjects:
    • Provision of personalized Services, such as announcements, newsletters, training, etc.;
    • Provision of optional Services such as interactive discussion spaces or chats;
    • Management of user participation in games and contests;
    • Management of cookies subject to consent.
  • Based on compliance with its legal and regulatory obligations:
    • Development of Products and Services to facilitate the completion of administrative formalities necessary for processing requests from internet users and consumers;
    • Management of responses to official requests from public or judicial authorities authorized for this purpose;
    • Compliance with the regulations applicable to our activity;
    • Management of requests to exercise rights.
  • Based on its legitimate interests:
    • Development and improvement of new Products or Services and offers of Products or Services to internet users and/or for the benefit of the public;
    • The fight against fraud and abuse, including the management of the consequences of such fraud or abuse;
    • Management of security breaches or any technical problems encountered by Products or Services;
    • Carrying out commercial prospecting activities aimed at professionals;
    • Management of clients or employees within a group of companies for internal administrative management purposes;
    • Management of user information requests and complaints;
    • Establishment of any means of proof necessary for the defense of ADEME's rights;
    • Management of cookies not subject to consent.
  • Based on a public interest mission:
    • Management of grant/aid requests to facilitate the completion of administrative formalities necessary for processing user requests;
    • Management of communications and follow-up of exchanges with users;
    • Compliance with the regulations applicable to our activity.

How long is Personal Data retained?

ADEME undertakes to retain the Personal Data of Data Subjects for a period not exceeding that necessary to fulfill the purposes for which it is processed, plus the legal limitation period. Furthermore, ADEME retains the Personal Data of Data Subjects in accordance with the retention periods imposed by applicable laws in force, where applicable.

Specifically, ADEME organizes its data retention policy as follows:

  • Management of the relationship with users of ADEME Sites: The data is retained for the entire duration of the contractual relationship: lifetime of the user account or last incoming contact (login or modification of the personal space), plus the duration of the legal prescription periods. The common law prescription period in civil and commercial matters is five (5) years from the end of the contract.
  • Provision of personalized Services: The data is retained for three (3) years from the last incoming contact.
  • Provision of optional Services: The data is retained for three (3) years from the last incoming contact.
  • Management of user participation in games and contests: The data is retained for three (3) years from the last incoming contact.
  • Development of Products and Services to facilitate administrative formalities: The data is retained for the entire duration of the completion of administrative formalities, plus the duration of the legal prescription periods. The common law prescription period in civil and commercial matters is five (5) years from the end of the contract.
  • Management of responses to official requests from authorized public or judicial authorities: The data is retained for the entire duration of the authorities' investigation.
  • Management of requests to exercise rights: The data is retained for one (1) or six (6) years, depending on the right exercised.
  • Fight against fraud and abuse: Data may be retained for up to twelve (12) months from the issuance of alerts before being qualified. Alerts qualified as irrelevant or unqualified at the end of the twelve (12) month period are deleted. Qualified alerts are retained for a maximum duration of five (5) years from the closure of the fraud file. For individuals registered on a list of proven fraudsters, their data is deleted after a period of five (5) years from the date of registration on this list. If legal proceedings have been initiated, data is retained until the end of the legal proceedings, plus the duration of the legal prescription periods. The common law prescription period in civil and commercial matters is five (5) years from the end of the contract.
  • Management of security breaches: Computer logs/traces are retained for thirteen (13) months.
  • Commercial prospecting aimed at professionals: The data is retained for three (3) years from the last incoming contact.
  • Management of clients or employees within a group of companies (internal admin): The data is retained for the entire duration of the contractual relationship, plus the duration of the legal prescription periods. The common law prescription period in civil and commercial matters is five (5) years from the end of the contract.
  • Management of user information requests and complaints: In the event of a contractual relationship with ADEME, data is retained for the entire duration of the contractual relationship, plus the duration of the legal prescription periods. The common law prescription period in civil and commercial matters is five (5) years from the end of the contract. In the absence of a contractual relationship with ADEME, data is retained for three (3) years from the last incoming contact.
  • Establishment of proof for the defense of ADEME's rights: In the event of a contractual relationship with ADEME, data is retained for the entire duration of the contractual relationship, plus the duration of the legal prescription periods. The common law prescription period in civil and commercial matters is five (5) years from the end of the contract. In the absence of a contractual relationship with ADEME, data is retained for three (3) years from the last incoming contact.
  • Cookie management: Your choice regarding cookies is retained for 6 months. Data collected via cookies is retained for 25 months.

Who is likely to access the Personal Data of Data Subjects?

Recipients of the Personal Data of Data Subjects

Data collected on ADEME's Sites, Products, or Services, or through any other means, may be communicated to authorized ADEME personnel, its partners, or its service providers in connection with the performance of all or part of the services. ADEME reminds users that within this framework, it contractually requires its partners and service providers to implement strict confidentiality and data protection measures. Furthermore, ADEME may be required to provide personal information to authorized French or foreign public authorities.

Data transfers outside the European Union

Some of the recipients mentioned above may be established outside the European Union and may have access to all or part of the personal information collected by ADEME due to a specific legal authorization.

In this context, ADEME retains its commitment to guarantee the protection of the Personal Data of Data Subjects in accordance with the strictest rules, notably through the case-by-case signature of standard contractual clauses based on the European Commission model, or any other mechanism compliant with the GDPR, whenever the Personal Data of Data Subjects is processed by a provider outside the European Economic Area whose country is not considered by the European Commission to ensure an adequate level of protection.

In any event, ADEME undertakes to inform Data Subjects prior to any data transfer outside the European Union.

How are the rights of Data Subjects exercised?

In accordance with the GDPR, Data Subjects may, at any time, exercise their rights to access, rectify, or erase data concerning them, as well as their rights to restrict and object to the Processing and the portability of their Personal Data.

Furthermore, when the Personal Data Processing operations implemented by ADEME are based on the consent of Data Subjects, the latter may withdraw it at any time. ADEME will then stop processing the Personal Data of the Data Subjects, without affecting the lawfulness of any processing carried out prior to such withdrawal.

In addition, Data Subjects may legally have the right to define post-mortem directives relating to the retention, erasure, and communication of their Personal Data with a certified, trusted third party responsible for enforcing their wishes, in accordance with the applicable legal framework.

Moreover, any person who was a minor at the time their Personal Data was collected may obtain its erasure as quickly as possible.

Under the right of access, ADEME may require Data Subjects to pay reasonable fees based on administrative costs for any additional copy of the data beyond the one provided.

These rights can be exercised by postal mail to the following address:

ADEME Délégué à la Protection des Données / Data Protection Officer 20, avenue du Grésillé — BP 90406 - 49004 Angers Cedex 01 Or by Email to the following address: [email protected]

In this context, requests must be accompanied by the elements necessary for identification (last name, first name, email) of the Data Subjects, as well as any other information necessary to confirm their identity.

For certain specific Services, these rights may be exercised directly online (management of your user account, management of your subscriptions to newsletters, news, etc.).

In the event of a breach of the applicable regulations regarding the protection of Personal Data, Data Subjects also have the right to lodge a complaint with the Commission nationale de l'informatique et des libertés (CNIL) on French territory (3 place de Fontenoy - TSA 80715 – 75334 Paris cedex 07; tel.: 01 53 73 22 22), without prejudice to any other administrative or judicial remedy.

IT Security / Transaction Security

ADEME implements all useful technical and organizational measures, given the nature, scope, and context of the Personal Data you communicate to us and the risks presented by its Processing, to preserve the security of your Personal Data and, in particular, to prevent any accidental or unlawful destruction, loss, alteration, unauthorized disclosure, intrusion, or access to this data.

The security and confidentiality of Personal Data depend on everyone's good practices. For this reason, Data Subjects are urged not to communicate their passwords to third parties, to systematically log out of their profile and social media accounts (notably in the case of linked accounts), and to close their browser window at the end of their session, especially if accessing the internet from a computer shared with other people.

Personal Data Concerning Minors

ADEME does not collect or process Personal Data relating to children under the age of 16 without the prior agreement of the parents or holders of parental responsibility for the child.

If Personal Data concerning children is collected via the ADEME Site and/or via Services or Products, parents or holders of parental authority have the option to object by contacting ADEME at the address indicated above.

Furthermore, as stated above, a child who was a minor at the time their Personal Data was collected may obtain its erasure as quickly as possible.

Links to Access Other Sites

On several pages of ADEME's Sites, it is possible to click to access other websites belonging to other companies. ADEME recommends reading the privacy policy of these sites regarding the Processing and protection of Personal Data, as terms on those sites may differ from those applicable on ADEME's Sites, and ADEME shall under no circumstances be held responsible for the Processing of Personal Data by these other websites.

Amendments

ADEME reserves the right to adapt this Policy.

If ADEME makes a modification to this Policy, it will publish the new version on the relevant media platforms and update the "last updated" date located at the top of this Policy.

ADEME therefore invites you to regularly consult the relevant platforms where the Policy is published.

Page top