General Data Protection Regulation (GDPR)

The Bordeaux Métropole Tourism and Convention Office (OTCBM) wishes to respect all legal obligations regarding the protection of personal data, in particular by publicly committing to comply with the European General Data Protection Regulation 2016/679, known as the GDPR, and French Law No. 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties, amended by the Law of 6 August 2004 (« French Law on Data Protection and Civil Liberties »).

This privacy policy is intended to inform users of the decisions and practices of the OTCBM with respect to privacy, as well as the choices that can be made about the way data is collected online and how it is used.

In accordance with the French Law on Information Technology and Civil Liberties and the General Data Protection Regulation, the OTCBM undertakes to:

  • only process data that has been fairly and lawfully collected;
  • only process the data collected in this way for specified, explicit and legitimate purposes;
  • only process data that is adequate and relevant and not excessive in relation to the purpose of their processing;
  • take all necessary precautions to preserve the security of the data, in particular to prevent it from being distorted, altered or damaged;
  • not communicate this data to third parties outside the company without informing the persons concerned.

The OTCBM recognises that providing information online involves a high degree of trust and therefore makes it a major priority to ensure the security and confidentiality of personal data provided by visitors to its website and when using its services.

Intellectual property of the website

The content of our site and the general structure, tree structure, textual content, images (whether animated or not) and logos of which it is composed are the exclusive property of the OTCBM. Any representation, in whole or in part, of this site or its contents, on any medium whatsoever, for collective or professional use, even internally within the company, by any means whatsoever, without the prior express written authorisation of the OTCBM is prohibited and would constitute an infringement punishable under Articles L.335-2 et seq. of the French Intellectual Property Code. Violation of these provisions will subject the offender and all persons responsible to the criminal and civil penalties provided for under French law.

Opinions and comments

By leaving a review, comment or rating, the user acknowledges and agrees that such contributions are non-confidential and non-private.

The OTCBM may review and monitor the opinions and comments of users and cannot be held responsible for the opinions of users even if it makes every effort to moderate them.

However, the OTCBM reserves the right to remove, at its sole discretion, without notice, any opinion or comment posted by users for any reason.

The user undertakes not to publish or disseminate any of the following content:

  • any content that is false, unlawful, misleading, defamatory, abusive, obscene, pornographic, indecent, licentious, suggestive, intimidating or harassing to another person, threatening, invasive of privacy, abusive, inflammatory, fraudulent or otherwise objectionable;
  • any content that is clearly offensive to the Internet community, such as content inciting racism, bigotry, hatred or any physical attack on groups or individuals;
  • Confidential information including, without limitation, surnames, addresses, telephone numbers, e-mail addresses, social security numbers and credit card numbers.

The OTCBM is not responsible for any content posted by users, nor for any loss or damage related to such content. Furthermore, it cannot be held responsible for any errors, defamation, slander, omissions, lies, obscene, pornographic or vulgar content that Internet users may view.

Contact details of the data controller

12, Cours du XXX Juillet – CC 31366
33080 Bordeaux cedex
TEL: +33 (0)5 56 00 66 17

Data collection and use

The OTCBM undertakes to only collect data that is strictly necessary for the provision of the Service and any follow-up that may result from it, after having obtained the Client’s consent in accordance with the regulations.

Purpose of collection

The OTCBM uses the personal data collected for the execution of the contract and to send information and promotional offers concerning products published by it.

Categories of data collected

The OTCBM ensures that it only collects data that is strictly necessary for the declared purposes of the various processing operations.

Recipients of your data

Your personal data will not be passed on to third parties. The persons with access to your data are the following:


  • staff responsible for commercial, legal and administrative follow-up. Only the competent staff have access to the data they need for their activity.


  • the subcontractor for the management of payments for purchases made on our website (REGIONDO, a company based in Munich – Germany).

Under no circumstances will your data be passed on, sold, loaned, assigned or rented to third parties, whether partners or not, who may contact you.

Duration of storage of information

The personal data collected from customers and prospects will be kept in an active database for a maximum of three years after the end of the contractual relationship for customers, or the last incoming contact for prospects, and then the data will be anonymised or destroyed.

Reminder of your rights under the GDPR

Under the provisions of Article 12 of the GDPR you have the right to obtain clear, concise and transparent information from the OTCBM. The main purpose of this document is to meet the obligations set out in Article 13 of the Regulation.

Right to receive confirmation of processing

You have the right to obtain confirmation from the controller as to whether or not your personal data is being processed. (Art. 15-1 of the GDPR)

Rights of access, purposes, categories, recipients, duration

You have the right to access such personal data and the following information:

  • the purposes of the processing; (Art. 15-1a of the GDPR)
  • the categories of personal data concerned; (Art. 15-1b of the GDPR)
  • the recipients or categories of recipients to whom the personal data has been or will be disclosed; (Art. 15-1c of the GDPR)
  • where possible, the intended period for which the personal data will be stored, or the criteria used to determine that period; (Art. 15-1d of the GDPR).

Rectification, erasure/“right to be forgotten”, restriction, opposition, portability

You have the right to request from the controller:

  • rectification of your personal data (Art. 16 of the GDPR)
  • erasure of your data (« right to be forgotten ») (Art. 17 of the GDPR)
  • restriction of the processing of personal data (Art. 18 of the GDPR)
  • the right to object to the processing of your data; (Art. 21 of the GDPR)
  • the right to receive your data in an easily machine-readable format allowing for its portability; (Art. 20 of the GDPR)

Complaint to the CNIL, origin of data, automated decision-making

You also have the right to:

  • lodge a complaint with a supervisory authority; (Art. 15-1f of the GDPR)
  • access any available information as to the source of the personal data where they are not collected from you; (Art. 15-1g of the GDPR)
  • verify the existence of automated decision-making, including profiling, and in such cases, relevant information about the underlying logic and the significance and intended consequences of such processing. (Art. 22 of the GDPR), (Art. 15-1h of the GDPR)

Right to know if your data is subject to cross-border transfer

You have the right to be informed of the appropriate safeguards if your data is transferred to a third country outside the European Union. (Art. 15-2 of the GDPR)

Right to obtain a copy of your data

You have the right, upon presentation of proof of identity, to obtain from the data controller an electronic or paper copy of your personal data processed in our company or by any of our subcontractors (provided that this request does not infringe on the rights and freedoms of others).

You may address any request in this regard to the Data Protection Officer listed above. (Art. 15- 3 & 4 of the GDPR)

Right to give instructions in the event of death

You also have the right to give us instructions on what to do with your data after your death. (Law n° 2016-1321 of 7 October 2016 for a Digital Republic)

Right to withdraw previously given consent for collection

You have the right to withdraw your consent at any time.
Withdrawal of such consent shall not affect the lawfulness of processing based on the consent given prior to such withdrawal.

You must be informed of this right before you give your consent. It must be as easy for you to withdraw your consent as it is for you to give it to us. (Art. 7-3 of the GDPR)

Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a supervisory authority if you become aware of a breach of your data or if you consider that the processing of your personal data constitutes a breach of the Regulation.

However, we suggest that you first contact the above-mentioned data controller.

The following link provides information on the procedure provided for by the CNIL:

Right to know the consequences of refusing to provide information

You are informed that, in accordance with Article 32 of the French Law on Information Technology and Civil Liberties, the information you provide via the forms on the site is required in order to respond to your request and is intended for the departments responsible for responding to your request for follow-up purposes.

You have the right to refuse to give us this information.

Right not to be subject to an automated decision

You have the right not to be subject to a decision based exclusively on automated processing, including profiling, which has legal effects concerning you. (Art. 22-1 of the GDPR)

The OTCBM does not carry out such data processing.

Right to demand that your data be kept secure

The OTCBM ensures the security and durability of your Personal Data by implementing a series of physical and logical safeguards in the storage and backup of your data, in order to prevent it from being destroyed, corrupted, modified, misappropriated, or damaged.

Exercising your rights

In accordance with the amended « French Law on Information Technology and Civil Liberties » of 6 January 1978, you have the right to access and rectify or delete information concerning you, upon presentation of proof of identity. You may also, on legitimate grounds, object to the processing of such data or request their portability.

To exercise your rights as defined above, you must prove your identity and, if desired:

  • tell us why you want to exercise these rights
  • define the exact scope of the data of which you wish to obtain copy
  • specify the format of the data you wish to receive

To this end, please contact the CNIL contact responsible for monitoring our compliance.

Partial opposition (or a simple request to unsubscribe) is a right that you can exercise at any time when we send you information, by means of a link in each e-mail you receive from us.

For more information on your rights, please visit the CNIL website at

You also have the right to take your case directly to the CNIL if you believe that your rights have been violated, or that our company is not meeting its data protection obligations.

Measures taken to protect personal data

The OTCBM has taken measures to prevent any breach of personal data, including:

  • Appointment of a data controller
  • Raising awareness of personal data protection among teams
  • Information system security audit
  • Securing workstations with passwords
  • Logging out of sessions after a limited time of inactivity
  • Wi-Fi not accessible to visitors and not allowing access to the network

Applicable law and jurisdiction

Our business is governed by French law. In the event of a dispute, the French courts shall have exclusive jurisdiction.

Changes to the present Data Protection policy

The OTCBM reserves the right to modify this Data Protection policy at any time, for example to take into account new data collected, changes in our processing or our purposes, but also to bring us into compliance with changes in certain legislative and regulatory provisions, particularly with regard to the Data Protection Act or the GDPR.


to top