Hôtel Claude Bernard is managed by Indevho and therefore applies the principles for the protection of personal data described in this Policy.
Our ambition: to set hospitality in motion so we can grow, together. Our goal is to evolve our offering by breaking down barriers between experiences to serve the wishes and aspirations of traveling guests, always aiming for your satisfaction. As part of our commitment, we present our policy for protecting your personal data. This policy describes how we use this sensitive information and the procedures and measures implemented by our Group to guarantee respect for your rights.
In this policy, the terms “INDEVHO,” “Group,” or “Company” refer to:
• INDEVHO SAS, the company providing hotel management services, with its registered office at 130 RUE FREDERIC JOLIOT, CS 30343, 13799 AIX EN PROVENCE CEDEX 3
• The hotels managed by INDEVHO, regardless of the brand under which the hotel is operated. This list of hotels is regularly updated on the website www.indevho.com/fr
This Data Protection Policy aims to provide simple, clear, and comprehensive information on how INDEVHO processes the personal information you share with us. INDEVHO: hotels in motion! INDEVHO supports hotel investment and development. As such, please note that the hotel where you book is not owned by INDEVHO. Most hotels are operated under a management agreement between the hotel owner and INDEVHO. Therefore, when you stay at one of these hotels, your personal data is processed both by INDEVHO and by the hotel in question. In short:
• INDEVHO processes your data because it manages the central reservation system, which allows INDEVHO to collect the data necessary to organize your stays and to communicate this data to the relevant hotels.
• Each hotel processes your data to manage its contractual relationship with you (invoicing, payment, booking management, etc.), to conduct marketing activities, and to comply with its legal obligations. INDEVHO has communicated the principles set out in this policy to all hotels it manages and to their respective managers. We will do everything in our power to ensure that all hotels comply with applicable personal data protection laws as well as with this policy.
In accordance with applicable regulations, in particular the General Data Protection Regulation adopted in Europe (GDPR), we have established the following principles for processing your data within our Group: • Lawfulness: we only use personal data if:
o we have obtained the person’s consent,
o OR it is necessary for the performance of a contract to which the person is a party, o OR it is necessary for compliance with a legal obligation, o OR to safeguard your vital interests in very limited cases, o OR we pursue a legitimate interest in using personal data and such use does not prejudice the person’s freedoms and interests. • Fairness: we explain as clearly as possible what we do with the data.
• Purpose limitation and data minimization: we only collect personal data that is truly necessary. If we can achieve the same result using less personal data, we make sure to use only that data.
• Transparency: we inform data subjects about how we use their data. We make it easy for them to exercise their rights.
• Retention periods: we keep personal data only for limited periods.
• We ensure the security of personal data, i.e., its integrity and confidentiality.
• If a third party must use personal data, we ensure that they are able to protect the personal data.
• If personal data must be transferred outside the European Union, we ensure that such transfer is governed by appropriate legal mechanisms.
• If personal data is compromised (lost, stolen, damaged, unavailable, etc.), we notify this breach to the competent data protection authorities and to the individuals concerned if the breach is likely to create high risks to their rights and freedoms.
At various times, we may collect information about you or about the people accompanying you, including:
• Contact details (e.g., last name, first name, phone number, email)
• Personal information (e.g., date of birth, nationality)
• Information about your children (e.g., first name, date of birth, age)
• Your credit card number (for transactions and reservations); information shown on an identity document (e.g., ID card, passport, or driver’s license)
• Your arrival and departure dates
• Your preferences and interests (e.g., smoking or non-smoking room, preferred floor, type of bedding, type of press you read, sports, cultural interests, food and beverage preferences, etc.)
• Your questions/comments during or after a stay in one of the branded properties
• Technical and location information generated when using our websites and apps. To meet your requests or provide appropriate service (e.g., a specific dietary requirement), we may need to collect sensitive information, including certain health details. In such cases, we will collect this data only with your prior express consent.
Purpose: Manage room and accommodation bookings
Legal basis: Processing necessary for the performance of the contract binding us
Retention period: 3 years from the date you last interacted with us in any way
Purpose: Complete the police form if you are a foreign national
Legal basis: Legal obligation
Retention period: 6 months
Purpose: Complete the check-in form upon your arrival at the hotel
Legal basis: Performance of the contract
Retention period: 3 years from the date you last interacted with us in any way
Purpose: Manage the various services offered during your stay (spa booking, ski pass sales, etc.)
Legal basis: Performance of the contract / Consent
Retention period: Duration of your stay
Purpose: Send satisfaction surveys or collect your expectations about your stay and your feedback afterwards
Legal basis: Consent
Retention period: 3 years from the date you last interacted with us in any way
Purpose: Send newsletters, promotions, and tourism/hotel/service offers and/or contact you by phone
Legal basis: Consent
Retention period: 3 years from the date you last interacted with us in any way
Purpose: Personalize the welcome at the hotel, improve the quality of our service and your experience
Legal basis: Processing necessary for the performance of the contract binding us
Retention period: 3 years from the date you last interacted with us in any way
Purpose: Handle complaints
Legal basis: Legal obligation
Retention period: 6 years from the date your case is closed in relation to a complaint or claim
Purpose: Secure and improve your use of INDEVHO websites, in particular: navigation improvements, support and maintenance, and implementation of security and anti-fraud measures
Legal basis: Processing necessary to pursue our legitimate interest in managing our activities, providing IT, administration and network security services in order to prevent fraud.
Retention period: 13 months from the collection of the information
Purpose: Protect property and individuals and prevent payment defaults – Video surveillance
Legal basis: Processing necessary to pursue our legitimate interest in managing our activities, securing property and individuals, and preventing payment defaults.
Retention period: 30 days
Purpose: Use the necessary services to identify individuals present in the Group’s hotels, particularly in the event of serious incidents affecting the establishment concerned (natural disasters, attacks, etc.).
Legal basis: Processing necessary to protect the vital interests of guests. Retention period: For the duration of the event. Purpose: Comply with all applicable legislation, in particular: Managing unsubscribe requests for newsletters, promotions, tourist offers and satisfaction surveys; Managing data-subject requests regarding their personal data protection; Retaining accounting documents
Legal basis: Processing necessary for compliance with a legal obligation.
Retention period: For the entire period set by applicable legislation.
We must share your personal data with internal and external recipients under the following conditions. We share your data with a limited number of authorized individuals and services within our Group to offer you the best possible experience in our hotels. The following teams may access your data:
• Hotel staff
• Reservation staff using booking tools
• IT services
• Business partners and marketing services
• Medical services, where applicable
• Generally, any appropriate person within our Group entities for certain specific categories of personal data.
• With service providers and partners: your personal data may be shared with a third party to provide services and improve your stay, including IT subcontractors, banks, credit card issuers, external lawyers, routers, and printers.
• Local authorities: we may also share your information with local authorities if required by law or as part of an investigation and in accordance with local regulations.
For the purposes indicated in Article 6, INDEVHO strives to store your personal data in France, or at least within the European Economic Area (EEA). When we transfer your personal data to recipients outside the EEA, we ensure that the transfer is carried out:
• Either to a country ensuring an adequate level of protection, i.e., a level of protection equivalent to what European regulations require
• Or the transfer is governed by standard contractual clauses. Transfers to the United States may also be made to entities that have adhered to the Privacy Shield program.
INDEVHO takes appropriate technical and organizational measures, in accordance with applicable legal provisions (in particular Article 32 of the GDPR), to protect your personal data against destruction, loss or alteration, misuse and unauthorized access, modification or disclosure, whether unlawful or accidental. To this end, we have implemented technical measures (such as firewalls) and organizational measures (such as ID/password systems, physical safeguards, etc.) to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. When you transmit credit card information when making your reservation, SSL (Secure Socket Layer) encryption technology secures your transactions. Organizational measures ensure processing security.
What is a cookie? A cookie is a small text file placed in your computer, tablet, or mobile phone’s browser directories. Cookies may be placed on your device when you visit a website and may serve several purposes, such as ensuring websites function properly and obtaining information about visitor habits. While browsing INDEVHO’s and the hotels’ websites, you can choose whether to allow cookies to be stored on your computer. How to configure cookies? Cookie settings are managed directly via your Internet browser and, depending on the type of browser used, allow you to either systematically refuse cookies during browsing or allow them on a case-by-case basis. To learn more about the configuration to follow (in French), see the CNIL’s dedicated page: https://www.cnil.fr/fr/cookies-les-outils-pour-les-maitriser
You have the right to obtain information and access your personal data collected by INDEVHO, subject to applicable legal provisions. You also have the right to have your data rectified, erased, or to restrict its processing. In addition, you have the right to data portability and the right to set instructions for the processing of your data in the event of your death. You may also object to the processing of your data, in particular to the sharing among the Group’s establishments of information concerning your stays, your preferences, and your satisfaction. If you wish to exercise these rights, contact the department in charge of personal data directly by email at rgpd@hotelclaudebernardparis.com or by writing to: Hôtel Claude Bernard, Attn: Data Protection Officer, 43, rue des Ecoles, 75005 Paris. For confidentiality and protection of your personal data, we must identify you to respond to your request. Therefore, if we have reasonable doubts about your identity, you may be asked to attach a copy of an official identity document (ID card, driver’s license, passport) to support your request. You may also exercise your rights with respect to your personal data retained and processed by a hotel in its capacity as data controller. To do so, please contact that hotel directly. For assistance with your requests, please write to the Personal Data Protection Department at rgpd@hotelclaudebernardparis.com or at the postal address above. If you believe your rights have not been respected or that a response provided by INDEVHO is unsatisfactory, you may lodge a complaint with the CNIL.
We may amend this policy and invite you to consult it regularly, in particular each time you make a reservation in one of our hotels.
For any questions regarding personal data policy within the Group, please contact the Personal Data Protection Department (see the “Your Rights” section).
1. How has INDEVHO approached GDPR compliance?
The GDPR imposes new obligations on entities processing personal data, including documenting internal compliance (Accountability). Acting mainly as a Data Controller, INDEVHO has implemented a record of processing activities for each processing operation carried out directly with you, as well as for all activities performed internally independently and in collaboration with its service providers and partners. Furthermore, to ensure ongoing compliance, a global audit policy has been implemented to monitor the application of all policies and procedures established within the group and by the various service providers and partners performing certain actions on behalf of INDEVHO.
2. Has INDEVHO appointed a DPO?
A Data Protection Officer (DPO) is mandatory for certain organizations and strongly recommended for others under the GDPR. INDEVHO has appointed a Data Protection Officer responsible for leading the rollout of compliance, advising and raising awareness among internal teams on all personal data protection topics. The DPO regularly analyzes and monitors INDEVHO’s activities relating to the various compliance actions in place.
3. How does INDEVHO apply the GDPR across all its activities?
The GDPR has led companies to implement the principles of Privacy by Design (data protection from the design stage of any project) and Privacy by Default (minimum standards for data security and confidentiality). For new projects implemented, INDEVHO ensures these principles are respected operationally. To this end, the company applies a dedicated procedure to verify that all required standards and requirements are present in projects involving personal data processing (privacy risk assessments, application of retention periods, data minimization, transparency of processing activities, etc.).
4. What commitments has INDEVHO made for managing data internally?
INDEVHO employees are involved in protecting the data they process in the course of their activities. The Data Protection Officer has implemented a number of actions regarding personal data applicable across daily activities: • A confidentiality undertaking via their employment contracts, • Training and awareness on personal data protection, • Operational support for project management and application of data protection rules, • More broadly, coordination with all employees in carrying out compliance actions.
5. How does INDEVHO select its service providers in compliance with the GDPR?
INDEVHO works with a number of partners and service providers to deliver various services to its customers. When acting as Data Controller, INDEVHO performs a thorough assessment of its providers’ maturity. INDEVHO has set up the following organization: • A systematic provider selection process from the inception or evolution of any project involving personal data processing, • Provider categorization by risk level (based on the volume and sensitivity of the entrusted project), • Implementation of contractual clauses governing data exchanges and defining the responsibilities of the parties involved, • A provider audit procedure carried out on a regular, controlled schedule, • An internal INDEVHO audit procedure to perform a double-check of actions related to the various services.
6. How does INDEVHO inform its customers about personal data processing?
The GDPR requires companies to ensure transparency in managing personal data and to respect data subject rights. INDEVHO has implemented its privacy policy accessible on its website and on the websites of the various hotels to which it delegates this task. Users are therefore clearly and comprehensively informed about how their personal data is processed. INDEVHO has also worked collaboratively with the aforementioned hotels to provide direct information about personal data processing performed as part of hotel stays, particularly for administrative and regulatory purposes specific to tourism. In line with transparency actions, INDEVHO guarantees respect for individual rights by applying a dedicated procedure: the company provides a tailored response to each request submitted by any data subject and undertakes to meet the deadlines set by the GDPR.
7. Is personal data processed by INDEVHO transferred outside the European Union?
In the course of its activities, INDEVHO may transfer personal data outside the European Union. In such cases, the GDPR requires appropriate safeguards. INDEVHO therefore enforces a heightened control policy for providers and partners when such practices occur. INDEVHO nevertheless chooses to limit transfers of personal data outside the EU as much as possible. This factor is considered from the project launch stage and as part of the provider selection process. If INDEVHO nonetheless carries out transfers outside the European Economic Area (EEA), the process will be supported by the implementation of appropriate safeguards as required by the GDPR, in particular the standard contractual clauses developed by the European Commission.
Last updated: March 18, 2025
