Last updated: 16th may 24
Protecting our customers' personal data is one of our core concerns.
This document applies to data that we collect online, on our websites, but also to data that we collect offline during events.
It is our wish to provide you with all necessary information for a good understanding of how your data are used:
- Who is responsible for the use of your data?
- With whom are your data shared?
- When are your personal data collected?
- What data do we collect?
- How do we use your data and for how long do we keep them?
- Are there any specific measures for children?
- Where are your personal data stored?
- How are your data secured?
- What are your rights relative to your data?
- Any questions? Contact us!
1. Who is responsible for the use of your data?
When you book and/or access our services, your personal data are both processed by:
- Compagnie des Alpes, parent company of the Compagnie des Alpes Group, with capital of €25,266,567.50, registered with the Paris TCR 349 577 908, having its registered office at 50-51 boulevard Haussmann 75009 Paris,
- Compagnie des Alpes Domaines Skiables, affiliated company of the Compagnie des Alpes Group with capital of 298.531.100,00 €,,registered with the TCR of Paris 298.531.100,00 €, having its registered office at 50/52, boulevard Haussmann -75009 Paris, France
In this policy the word "we", refers to these two companies, which may act together as joint controllers for the processing operations indicated below.
While Compagnie des Alpes is in charge of the management and supervision of the IT system used to collect and process your data, it is nevertheless solely up to CDA-DS, as a joint or as an autonomous data controller, to manage the contractual relationship with you, to provide you with the ordered services, and to carry out marketing and advertising operations on its services and brands or ancillary services on the ski area (WiFi, photos, ski instructions).
CDA-DS and the ski lift operating companies may also act as joint controllers for processing aimed at sending you joint messages related to Ski à la Carte, as well as verifying that you have paid the amounts due under Ski à la Carte.
The ski lift operating company you choose as your preferred resort when you subscribe to Ski à la Carte also acts as a controller for processing aimed at handling your order and sending you messages specific to that company.
The aforementioned ski lift operating companies are as follows:
• SCV Domaine Skiable, the company operating the ski lifts in the Serre Chevalier ski area, represented by Patrick Arnaud, acting as General Manager, with its registered office at Serre d’Aigle, place du Téléphérique, Chantemerle, 05330 Saint-Chaffrey, France;
• ADS, the company operating the ski lifts in the Arcs-Peisey Vallandry ski area, represented by Frédéric Charlot, acting as General Manager, with its registered office at Chalet des Villards, Les Arcs 1800, 73700 Bourg-Saint-Maurice, France;
• The Société d’Aménagement de la station de la Plagne, the company operating the ski lifts in the La Plagne ski area, represented by Nicolas Provendie, acting as General Manager, with its registered office at La Plagne, Plagne Centre, 73210 La Plagne Tarentaise, France;
• Grand Massif Domaines Skiables, the company operating the ski lifts in the Grand Massif ski area, represented by Frédéric Marion, acting as General Manager, with its registered office at Téléphérique de Flaine, Grandes Platières, Flaine, 74300 Arâches-la-Frasse, France;
• The Société des Téléphériques de la Grande Motte, the company operating the ski lifts in the Tignes ski area, represented by Pascal Abry, acting as General Manager, with its registered office at Gare de la Grande Motte, 73320 Tignes, France;
• The Société des Téléphériques de Val-d’Isère, the company operating the ski lifts in the Val-d’Isère ski area, represented by Arnaud Mollanger, acting as General Manager, with its registered office at Gare centrale des téléphériques, 73150 Val-d’Isère, France;
• The Société d’Exploitation de la Vallée des Belleville, the company operating the ski lifts in the Menuires ski area, represented by Didier Bobillier, acting as General Manager, with its registered office at Mont de la Chambre, BP 2, Gare de la télécabine des Menuires, 73440 Les Belleville, France
2. With whom are your data shared?
Compagnie des Alpes Group internal recipients:
Your data are processed jointly by CDA DS, SCV Domaine Skiable, ADS, Société d’Aménagement de la station de la Plagne, Grand Massif Domaines Skiables, La Société des Téléphériques de la Grande Motte, La Société des Téléphériques de Val-d’Isère, La Société d’Exploitation de la Vallée des Belleville and Compagnie des Alpes, the parent company of the Compagnie des Alpes Group.
Within these companies, your data are only accessible to a limited number of people, within specific departments (customer service, sales, accounting, IT, etc.), only if access to the data is necessary for the needs of their functions.
However, your data are not shared with other member companies of the Compagnie des Alpes group, unless you have expressly authorised us to do so.
Compagnie des Alpes Group external recipients:
Your data may also be shared with recipients outside of the Compagnie des Alpes Group:
- With all of our technical service providers whose intervention is necessary in order to carry out the processing operations indicated below (IT service providers, payment service providers, etc.), for the purposes of processing your order and improving our services and exclusively within the limits of our instructions;
- Where appropriate, with national or local authorities, if required by law or as part of an investigation and in accordance with regulations.
3. When are your personal data collected?
We may collect your personal data on different occasions:
Online:
On our website, to order lift passes, receive our newsletters, log in to your account or take advantage of our digital services.
During our interactions with you:
When you open or reply to a newsletter, take part in a satisfaction survey or participate in a contest. When you call customer services with a complaint.
4. What data do we collect?
We only collect the data that are strictly necessary for their use, and no more!
Depending on how you use or our websites, we may collect the following information:
- Information required to create your customer account (surname, first name, e-mail address, date of birth, postal address)
- Payment information
- Telephone number
- Browsing data on our website (on this subject, see our information on cookies!)
5. How do we use your data and for how long do we keep them?
At the end of the retention periods defined below, we delete your data from our systems or make it anonymous so that it can no longer be used to identify you.
Processing operations
|
Legal basis |
Data retention periods |
Customer account |
Fulfilment of the contract |
For as long as your customer account is active, and for up to 2 years after the last connection to your account.
|
Order processing |
Fulfilment of the contract |
For online purchases: for five years from the date of purchase if the value of the order is less than €120, for ten years if the value of the order is €120 or more (and for 5 years for transactions at the checkout). The data linked to your bank card are retained for 13 months by our payment service providers after the last debit date for proof purposes in the event that the transaction is disputed (15 months in the case of deferred debit payment cards). The cryptogram is not retained after the transaction. |
Satisfaction surveys |
Legitimate interest |
Time required to achieve the survey objective, then anonymized. |
Contests |
Running of the contest |
6 months from the end of the contest. |
Sending newsletters / prospecting campaigns by e-mail or sms.
|
Consent, or legitimate interest if you are a customer who has purchased a product on our website, our automated terminals or our mobile application |
3 years from your last contact with us (e.g. a request for commercial documentation, a click on a hypertext link contained in our newsletter).
|
Complaint handling and after-sales service |
Fulfilment of the contract |
5 years after the claim has been closed |
Preparation of statistics |
Legitimate interest |
Time required to achieve the objective of the statistics, then anonymized. |
Customization of navigation/profiling |
Consent |
13 months |
Exercising your GDPR rights |
Legal obligations |
10 years from the closing of the request. When proof of identity has been required, it will be deleted as soon as verification has been completed. |
Litigation management |
Legitimate interest |
Until all avenues of appeal have been exhausted |
Cybersecurity - Vulnerability Disclosure |
Legitimate interest |
6 years from the receipt of the vulnerability disclosure |
6. Are there any specific measures for children?
Although the family dimension of our activities is at the heart of our concerns, we do not process any data specifically relating to children.
When our services are being used by persons under the age of 15, we recommend that they be accompanied by an adult. The consent of parents or legal guardians may be obtained when their personal data are collected, if necessary.
7. Where are your data stored?
All of your personal data are stored exclusively on servers located within the territory of the European Union.
Although hosted within the territory of the European Union, these data may be accessible from third countries when we use technical service providers (e.g.: AWS, Microsoft, Google), which are based abroad (i.e.: United States, Israel). Any access from these countries is considered to be a data transfer, but is necessary for the proper operation and maintenance of the IT tools that they offer. These service providers have real expertise that justifies their involvement.
We make every effort with these service providers to ensure that your data are protected in accordance with European regulations. These service providers only act within the framework of our instructions. Contracts are systematically signed with the latter, and transfers of personal data are governed by enhanced contractual clauses specifically designed for this purpose (standard contractual clauses - SCCs - published by the European Commission) where the laws of the country in question do not offer protection equivalent to the GDPR (so-called “adequate” countries). If necessary, additional technical or legal measures are put in place.
8. How are your data secured?
The security of your personal data is a central concern for the companies in the Compagnie des Alpes group, which pool their resources to ensure that you benefit from an appropriate level of security that is up to date with the state of the art.
In order to preserve the confidentiality and security of your personal data, and notably to protect them against unlawful or accidental destruction, accidental loss or alteration, or unauthorised disclosure or access, the Compagnie des Alpes Group takes appropriate technical and organisational measures, and imposes the same level of requirements on its subcontractors. These measures are adapted according to the sensitivity of the data processed and the risk level.
The Compagnie Group has put in place procedures to detect, analyse and monitor security incidents and any suspected breach of your personal data, and to be able to block access to the data at any time. Procedures for managing personal authorisations have also been put in place to ensure that access to data is as restricted as possible.
Despite our efforts, vulnerabilities may still be present in our systems. If you think that you have detected a vulnerability, please contact us using this form(vulnerability disclosure page), while respecting the principles described there.
9. What are your rights over your data?
You have a number of rights in relation to your personal data held by us:
- The right to object: You no longer wish to receive our commercial communications, object to a decision related to your profiling, or withdraw consent
- The right to rectify your data: change of name? a mistake in your date of birth? Let us know by keeping your details up to date!
- The right to access your data: you may request a copy of all your personal data held by us, in an understandable format.
- The right to erase your data: You wish to delete your entire customer account and erase all of your personal data in our possession. We will comply with your request, with the exception of accounting and tax records relating to your transactions, as well as those required for the creation of our evidence files (in the event of any legal proceedings), which must be retained.
- The right to freeze the use of your data: if you are faced with a litigious situation and wish to prevent the deletion of your data, your data will be retained without being used.
- The right to take your data: You wish to recover some of your data. You are then free to store them elsewhere or to transfer them easily from one system to another, so that they can be reused for other purposes.
You will find all of our contact details below for the exercise of these rights.
10. Any questions? Contact us!
Do you have a question? Would you like to stop receiving our newsletters? Delete your account?
We have appointed a Data Protection Officer to answer all of your questions and ensure the protection of your personal data.
To contact this person, click here !
Please fill in the form provided for this purpose, and your request will be processed within one month.
You can also reach our DPO:
- By post to the following address: CDA-DS, Ski à la Carte Service Protection des Données – 137 rue François Guise 73000 Chambéry FRANCE
or
- By e-mail to the following address: privacy@skialacarte.fr
If there are serious doubts about your identity, and if it cannot be done otherwise, you may be asked to provide proof of identity for the processing of your request, simply to ensure that we are dealing with the right person.
If, despite our efforts, you feel that our response is incomplete, you can contact the CNIL https://www.cnil.fr/fr