Data protection charter
Data protection charter and cookie policy
CAFAN confers great importance on the protection and confidentiality of the personal data of its Clients/Prospects (hereinafter referred to as the “Data”) and oversees respect for the applicable legislation.
In this way, the present charter materialises the commitments of CAFAN (hereinafter referred to as the “Company”) on the use and protection of the Data (hereinafter referred to as the “Charter”).
The Client/Prospect is therefore asked to read this Charter, which aims to present the way in which the Company processes the Data in the context of provision of the services offered by the Morgan brand and the way in which Clients/Prospects can exercise their rights.
1. Scope of the charter
This Charter applies to all collection and all processing of Data concerning the Clients/Prospects of the Morgan brand belonging to the Company (hereinafter referred to as the “Brand”) for the processing undertaken virtually via the following website: morgandetoi.com (hereinafter referred to as the “Website”).
Our sales processing partner is GLOBAL-E France SAS (hereinafter referred to as the “Global-E”), company incorporated in France (registered under number 818 358 459 RCS Paris) with its registered office at 320 rue Saint-Honoré, 75001 Paris, France.
When you buy products on the Website, your personal data will be collected and used by Global-E for the purposes of executing the order and delivering the products. Please consult the Global-E confidentiality policy [link to the Global-E Confidentiality Policy] for further details about the way in which that company uses your personal data.
The Charter applies only to the use of your data by the Brand.
2. Data processed
In order to provide its Clients/Prospects with all services offered, the Brand will need to collect the following Data:
- contact details (e.g. telephone number, email address, postal address, etc.),
- identification (e.g. surname, forename, date of birth, etc.),
- data on use of the Website (e.g. IP address, logs and tokens, clicks, etc.).
The Brand respects the principle of minimising data, which consists of only collecting the Data strictly necessary.
3. Sources of collection of data
Your Data are generally collected directly from you as follows:
- via your purchases and/or actions undertaken on the Website of the Brand (e.g. creation of a “Client/Prospect account”);
- via your communications with the Brand’s consumer department.
4. Purposes and legal grounds of the data processing
The Company processes the Data of Clients/Prospects only in order to offer them the services requested and to provide a high-quality Client/Prospect experience.
a) Processing on the legal grounds of performance of a contract with the Clients/Prospects:
- creation and management of “Client/Prospect accounts”;
- tracking of orders and deliveries;
- management of complaints and after-sales service.
b) Processing on the legal grounds of the legitimate interests of the Brand
- drawing up commercial statistics;
- marketing.
c) Processing on the legal grounds of a legal obligation is that relative to the collection and safeguarding of Client/Prospect actions when using the Website.
5. Storage period
The table below presents the storage periods implemented by the Company for the Data according to the purposes of the processing.
Purposes of the processing |
Storage period |
Data relative to the history of purchases and services, recovery, management of complaints and the consumer department, etc. |
10 years |
Data relative to the use of the “Client/Prospect Account” |
Term of the contract and legal time limitation duration if applicable |
“Cookies” |
13 months from the time they are placed on the Client/Prospect’s device from the last use of the Website |
Website login and usage data |
1 year |
At the end of these periods, the Data will be either erased or anonymised for studies and/or statistics.
The Data will also be kept in case of potential or actual litigation for the whole duration of the dispute.
It is also specified that erasure and anonymisation of the Data are irreversible operations and that the Company is subsequently no longer able to restore them.
6. Recipients of the data
The Company may be required to transfer Data:
- to the authorised departments of the Brand;
- to the partner Global-E in the context of processing the Client/Prospect’s order;
- to third parties in the context of fraud prevention, and more generally in the context of any criminal activity or on the request or orders of the court or administrative authorities.
7. Transfers of data outside of the European Union
The Data are stored in France, but may also be transferred to service providers, subcontractors or subsidiaries of the Company in a country that is not a member of the European Union.
This type of transfer shall take place pursuant to and with respect for the applicable laws, and within a contractual framework determining the conditions of intervention and security of the service providers.
The contractual framework notably complies with the European Commission decision of 5 February 2010 (2010/87/EU) on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC or is subject to “Binding Corporate Rules”.
8. Rights of clients/prospects
8.1. Right of access and to obtain a copy
You have the right to ask the Brand for confirmation about whether or not your Data is processed.
You have the right to request a copy of your Data subject of processing by the Brand. However, in case of request for additional copy, the Brand may require you to cover the cost.
If you send your request for copy of the Data electronically, the information requested will be provided to you in a commonly used electronic form, unless requested otherwise.
You are informed that this right of access cannot pertain to confidential information or data, or for those whereby the law does not allow communication.
The right of access must not be exercised abusively, i.e. regularly with the sole aim of destabilising the Brand.
8.2. Right of rectification and update
The Company will automatically fulfil update requests for online amendments in fields which can technically or legally be updated on your written request.
8.3. Right of erasure
Your right of erasure will not apply in the event where the processing is implemented to fulfil a legal obligation.
Except in that situation, you may request erasure of your Data in the following limited cases:
- the Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- when you withdraw the consent on which the processing is based and where there is no other legal ground for the processing;
- you object to the processing necessary for the legitimate interests pursued by the Brand and there are no overriding legitimate grounds for the processing;
- you object to the processing of your data for marketing purposes, including for profiling;
- the Data have been unlawfully processed.
8.4. Right to restriction of processing
You are informed that this right will not apply where the processing undertaken by the Brand is legal and all Data collected are necessary, notably to perform contracts of sale.
8.5. Right to portability
The Company will grant the right to Data portability in the specific case of Data you have communicated yourself on online services offered by the Brand and for purposes based solely on your consent and the performance of a contract. In this case, the Data will be communicated in a structured, commonly used and machine-readable format.
8.6. Right to object
In compliance with the legislation in force, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your Data whereby the legal grounds are the legitimate interest pursued by the Brand.
If you exercise such right of opposition, the Company will no longer process the Data concerned, unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms.
8.7. Automated individual decision-making
The Company does not make automated individual decisions.
8.8. Posthumous right
You are informed that you have the right to give instructions concerning the storage, erasure and communication of your data after your death.
8.9. Implementation of your rights
To exercise your rights, you must contact the services of the Brand with which your Data was collected in one of the following ways:
(i) by sending your request via the contact form on the Website;
(ii) by writing to the following email address: dpo@morgan.fr
(iii) by writing to the following address: - Service Clients/Prospects; ZAC de La Moinerie, 10, impasse du Grand Jardin 35400 SAINT-MALO, specifying the Brand.
In compliance with the data protection legislation, you are informed that this is an individual right that can only be exercised by the data subject relating to their own information. Thus, for security reasons, the services of the Brand concerned therefore reserve the right, in case of doubt over the identity of the applicant, to request an up-to-date identity card in order to avoid any communication of confidential information concerning somebody else.
8.10. Right to lodge a complaint with the CNIL
You are informed of your right to lodge a complaint with the competent authority, specifically the authority of the country of your principal residence or your workplace, or in which the offence was committed, if you feel that the processing of your Data breaches the applicable rules.
In France, the competent authority is the Commission Nationale de l'Informatique et des Libertés (hereinafter referred to as the “CNIL”): CNIL – Service des plaintes 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07 / Telephone: 01 53 73 22 22
9. Security and confidentiality of your data
It is incumbent upon the Company to define and implement the technical measures of physical or digital security it deems appropriate to prevent the destruction, loss, impairment or unauthorised disclosure of the data accidentally or unlawfully.
These measures principally include:
- management of authorisations for access to the data;
- internal protection measures;
- the process of identification;
- conducting security audits and penetration tests;
- adoption of an information system security policy;
- adoption of business resumption/continuity plans;
- use of a protocol or security solutions.
To do this, the Company may be assisted by any third party of its choice to conduct, at the frequencies it deems necessary, vulnerability audits or intrusion tests. In any event, in case of change to the resources ensuring the security and confidentiality of the Data, the Company undertakes to replace them with resources of a greater performance. No upgrade may lead to a regression in the security level.
In case of subcontracting all or part of the Data processing, the Company undertakes to contractually impose security guarantees on its processors, via technical measures for protection of these data and the appropriate human resources.
10. Data breach
The Company undertakes to notify the CNIL of any Data breach the Brand may suffer under the conditions laid down by the legislation in the matter.
You will of course be informed of any Data breach that could infringe your rights and cause any risk to you.
11. Data protection officer
The Company has designated a Data Protection Officer (“DPO”), whose email adress is as follows:
- Email address: dpo@morgan.fr
12. Cookies and others trackers
To view our policy regarding cookies and other trackers, [click here]
13. Amendment and update to the charter
This Charter may be amended or adapted at any time in case of legal or jurisprudential change or according to the decisions and recommendations of the CNIL and good practice. Any new version of this Charter will be notified to you by any means, including electronically.