MiNET

Privacy Policy

Version in force on January 14, 2024

MiNET places great importance on the protection and privacy of personal information, especially your personal data, and respects your choices regarding them.

This privacy policy will provide you with information about the personal data that MiNET may collect, the conditions under which your data is processed, your rights in this regard, and how you can exercise them. It aims to inform you in a concise, transparent, understandable, and easily accessible manner.

Contents

Preamble

Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, concerning the protection of individuals with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and French Law No. 78-17 of January 6, 1978, as amended, relating to Information Technology, Data Files, and Civil Liberties (Data Protection Act) establish the legal framework applicable to the processing of personal data.

In the course of its activities, MiNET may process personal data concerning you.

You have the right to access, rectify, erase, restrict, port, and object to your data processing. You can exercise these rights by contacting our data protection officer in several ways:

  • by email at webmaster@minet.net;
  • by postal mail to the address: Data Protection Officer, MiNET, 5 rue Charles Fourier, 91011 Évry Cedex, France.

In the event of non-compliance with the processing of your data, you can file a complaint with the National Commission for Informatics and Liberty (CNIL). You can contact the CNIL in several ways:

  • through their online service https://www.cnil.fr/fr/plaintes;
  • by postal mail to the address: CNIL, 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France.

These rights may be subject to restrictions under Articles 107 and 110 of the Data Protection Act. In this instance, you cannot object to the processing of your personal data when it is necessary to fulfill a legal obligation. You can contact the CNIL in case of dispute over these restrictions if you encounter them.

1. Definitions

In this privacy policy, the following terms, whether singular or plural, regardless of case, have the following meanings:

  • Member: refers to any natural or legal person who has joined the statutes of the MiNET association;

  • Services: refer to all hosting features of information technology services that MiNET makes available to the member as part of its activities. These features and services include, but are not limited to, providing Internet access, making web applications available for proposing free and open-source alternatives to proprietary services, and providing virtual machines;

  • Member account: personal account created by a MiNET association member allowing access to various services offered by the association and using them;

For all useful purposes, the following definitions are recalled:

  • Personal data: any information relating to an identified or identifiable natural person; a “identifiable natural person” is considered to be a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more specific elements specific to his physical, physiological, genetic, psychological, economic, cultural, or social identity;

  • Processing of personal data: any operation or set of operations carried out with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination, or any other form of provision, comparison or interconnection, limitation, erasure or destruction;

  • Controller: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing; where the purposes and means of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for his designation may be provided for by Union law or the law of a Member State;

  • Recipient: the natural or legal person, public authority, agency, or other body to which the personal data are disclosed;

  • Third party: a natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or processor, are authorized to process personal data;

  • Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed;

2. Identity of the controller and its representative

MiNET is the controller for the various services it offers. It is represented by its President (whose civil identity is available on the Team page).

3. Data collected and purposes pursued

MiNET may collect personal data in the context of the services it offers, which are as follows:

  • ADH6 and Payment: platforms for managing members and online contributions respectively;
  • Tickets: platform for managing support requests;

The personal data collected through ADH6 and Payment is gathered within a single member account in a computer file. The personal data collected through Tickets is gathered in a separate computer file. These personal data are processed by MiNET.

In view of the purposes pursued, the collection of data related to the ADH6 and Payment platforms is based on the following legal bases provided by Article 6 of the GDPR:

  • contract performance: processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract;
  • legal obligation: processing is necessary for compliance with a legal obligation to which MiNET is subject;

The retention of this data constitutes a legal obligation under Articles L34-1 and R10-13 of the French Postal and Electronic Communications Code for the needs of criminal proceedings, the fight against crime and serious delinquency, the prevention of threats to public security, and the safeguarding of national security.

Information concerning the civil identity of members:

Data collectedPurpose of processingLegal basis for processingDuration of conservation
Last name and first name / Business name
  • Member identification
Contract performance for the provision of Internet services5 years from the end of membership
Room number
  • Associate the member with the assigned room
  • Associate the room with the Internet
Contract performance for the provision of Internet services5 years from the end of Internet services supply
Email address
  • Inform the member of the creation and expiration of their membership
  • Inform the member of a substantial update to the contractual documents to which they are a party, as well as of this policy
  • Inform the member of any incidents that may affect the services they benefit from
Contract performance for the provision of Internet services5 years from the end of membership

Other information provided during the subscription of the Internet services supply contract:

Data collectedPurpose of processingLegal basis for processingDuration of conservation
User identifier
  • Member authentication on the platforms provided
  • Member authentication on the internal network
Contract performance for the provision of Internet services1 year from the end of Internet services supply
Password verification data
  • Member authentication on the platforms provided
  • Member authentication on the internal network
Contract performance for the provision of Internet services1 year from the end of Internet services supply

Information related to payment:

Data collectedPurpose of processingLegal basis for processingDuration of conservation
Type of payment used
  • Compliance with legal and regulatory requirements
Legal obligation1 year from the end of membership
Payment reference
  • Compliance with legal and regulatory requirements
Legal obligation1 year from the end of membership
Amount
  • Compliance with legal and regulatory requirements
Legal obligation1 year from the end of membership
Date, time, and location (in case of physical transaction)
  • Compliance with legal and regulatory requirements
Legal obligation1 year from the end of membership

Technical data related to the terminal equipment used:

Data collectedPurpose of processingLegal basis for processingDuration of conservation
User’s IP addresses
  • Assign an IP address to the member’s terminals
Contract performance for the provision of Internet services1 year from the end of Internet services supply
Terminal MAC addresses
  • Authenticate terminals on the internal network
Contract performance for the provision of Internet services1 year from the end of Internet services supply
DHCP leases
  • Record incidents
  • Respond to assistance requests
Contract performance for the provision of Internet services1 year from the end of Internet services supply
Authentication logs
  • Record incidents
  • Respond to assistance requests
Contract performance for the provision of Internet services1 year from the end of Internet services supply

The collection of data related to the Tickets platform and its processing are necessary for the performance of the contract for the provision of Internet services, especially for incident resolution. The retention period of this data is limited to the time strictly necessary for the management of the support request.

Information concerning the civil identity of members:

Data collectedPurpose of processingLegal basis for processingDuration of conservation
Last name and first name / Business name
  • Member identification
Contract performance for the provision of Internet servicesDuration of the management of the support request
Room number
  • Identification and resolution of potential incidents
Contract performance for the provision of Internet servicesDuration of the management of the support request
Email address
  • Member identification
Contract performance for the provision of Internet servicesDuration of the management of the support request

3.3 Application logs

Application logs collect the IP address during navigation on the platforms made available by MiNET. These data are collected for the purpose of responding to incidents, especially in the event of attacks or attempts at computer attacks, and more generally for the needs of preventing harm to data processing systems provided for and punished by Articles 323-1 to 323-3-1 of the French Penal Code. This data is kept for a maximum of one year from the date of collection.

4. Data recipients

Access to personal data is strictly limited to active members of MiNET and subject to a confidentiality obligation. The aforementioned technical data related to the used terminal equipment is only accessible in case of your express request for troubleshooting or in case of requisition by judicial authorities for the needs of criminal proceedings, the fight against crime and serious delinquency, the prevention of threats to public security, and the safeguarding of national security.

No personal data is collected without your knowledge or transferred to third parties.

5. Transfer of data to a non-member state of the European Union

When using the Payment online payment service, certain personal data is transferred by MiNET to the company Stripe, Inc. (headquartered at 354 Oyster Point Blvd, South San Francisco, CA 94080, United States), which is responsible for executing online payments.

To make this transfer, MiNET relies on the adequacy decision of the European Commission of July 10, 2023, stating that the changes made by the United States to their national legislation now allow for an adequate level of protection of personal data transferred from the European Union to organizations located in the United States when they make an effort to comply with this new “data protection framework”. The list of these organizations is managed and published by the U.S. Department of Commerce.

Stripe, Inc. is among these organizations.

The personal data transferred by MiNET to Stripe, Inc. includes:

  • First and last name / Business name;
  • Room number;
  • Email address;
  • User ID;
  • Type of payment used and related payment data;
  • Duration of membership.

Personal data not related to payment is transferred in encrypted form and is not retained by Stripe, Inc.

You can exercise your rights with Stripe, Inc. by contacting their data protection officer in several ways:

  • by email at dpo@stripe.com;
  • by postal mail to the address: Legal Office of the DPO, Office of the DPO, Stripe, Inc., 354 Oyster Point Blvd., South San Francisco, CA 94080, United States.

You can consult the privacy policy of Stripe, Inc. at the following link: https://stripe.com/privacy.

The platforms made available by MiNET (ADH6, Payment, and Hosting) use technical cookies that enable their proper functioning. In this instance, these cookies allow you to log in to your member account and keep your session active.

No tracking cookies are used by MiNET.

7. Data security

MiNET implements all necessary technical and organizational measures to ensure the security and confidentiality of your personal data. These measures are implemented taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purposes of the processing, as well as the identified risks. However, absolute security does not exist, and the security of your data cannot be guaranteed. Nevertheless, MiNET will make its best efforts to ensure an optimal level of security.

In the event of a personal data breach, and if this incident constitutes a risk to the privacy of the persons concerned, MiNET undertakes to comply with the obligation to notify the CNIL and, if necessary, you, as soon as possible.

8. Rights of the data subjects

MiNET places particular importance on respecting the rights of individuals concerned by the processing of personal data it carries out. This section aims to detail the rights you have in this regard, as mentioned in the preamble.

8.1 Right of access

You have the right to obtain from MiNET confirmation as to whether or not personal data concerning you are being processed and, where that is the case, access to that data, as well as the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients established in third countries or international organizations;
  • where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing concerning you or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data is not collected from you, any available information as to their source;
  • the existence of automated decision-making, including profiling, referred to in Article 22 of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subjects.

When personal data is transferred to a third country or international organization, you have the right to be informed of the appropriate safeguards under Article 46 of the GDPR related to the transfer.

MiNET may charge a fee not exceeding the cost of reproduction for any additional copy requested. When you make the request electronically, the information is provided in a commonly used electronic form, unless you request otherwise.

If the requests appear manifestly unfounded or excessive, especially because of their number, repetitive character, or systematic nature, MiNET may refuse to respond to the request.

8.2 Right to rectification

You have the right to obtain from MiNET the rectification and completion of your personal data without undue delay when it is inaccurate, incomplete, ambiguous, or outdated.

It is reminded that you can also rectify some of your personal data directly from your member area.

8.3 Right to erasure

You have the right to obtain from MiNET the erasure of your personal data without undue delay when one of the following grounds applies:

  • the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
  • you withdraw consent on which the processing is based, and there is no other legal ground for the processing;
  • you object to the processing, and there are no overriding legitimate grounds for the processing;
  • the personal data has been unlawfully processed.

This right is not a general right, and it cannot be exercised if the situation or the data processing falls under:

  • the exercise of the right to freedom of expression and information;
  • compliance with a legal obligation that requires the processing provided for by the law to which MiNET is subject;
  • archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Article 89 paragraph 1 of the GDPR, insofar as the right referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • the establishment, exercise, or defense of legal claims.

Thus, if none of the above-mentioned grounds applies, MiNET cannot comply with your request for erasure of your personal data.

8.4 Right to restriction of processing

You have the right to obtain from MiNET the restriction of processing where one of the following applies:

  • you contest the accuracy of the personal data, for a period enabling MiNET to verify the accuracy of the personal data;
  • the processing is unlawful, and you oppose the erasure of the personal data and request the restriction of their use instead;
  • MiNET no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise, or defense of legal claims;
  • you have objected to processing pursuant to Article 21 paragraph 1 of the GDPR pending the verification whether the legitimate grounds of MiNET override yours.

When processing is restricted, personal data, with the exception of storage, may only be processed with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

You will be informed by MiNET before the restriction of processing is lifted.

8.5 Right to object to processing

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you based on Article 6 paragraph 1 points e or f of the GDPR, including profiling based on those provisions.

MiNET will no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

8.6 Right to data portability

You have the right to receive the personal data concerning you that you have provided to MiNET in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from MiNET, where:

  • the processing is based on consent pursuant to Article 6 paragraph 1 point a or Article 9 paragraph 2 point a of the GDPR or on a contract pursuant to Article 6 paragraph 1 point b of the GDPR; and
  • the processing is carried out by automated means.

In exercising your right to data portability, you have the right to have the personal data transmitted directly from MiNET to another controller, where technically feasible.

This right only applies to data you have provided to MiNET and does not apply to the aforementioned technical data related to the used terminal equipment.

The right to data portability must not adversely affect the rights and freedoms of others.

You can request the portability of your data following the procedure described in Section 8.9, specifying whether you want the data to be transmitted to you or directly to another data controller. In the latter case, you will need to provide the contact details and the exact name of the receiving data controller.

8.7 Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with the French National Commission on Informatics and Liberties (CNIL) on the French territory, without prejudice to any other administrative or judicial remedy.

You can contact the CNIL by any means mentioned in the preamble.

You may also bring a legal action before the competent administrative or judicial courts if you consider that the processing of your personal data constitutes a violation of applicable laws.

8.8 Right to define directives regarding the fate of your data after your death

You have the right to define directives concerning the storage, erasure, and communication of your personal data after your death as provided in Section 8.9.

You also have the right to designate a person responsible for the execution of these directives. In the absence of such designation, your heirs will be responsible for the execution of these directives.

You can modify or revoke these directives at any time.

8.9 Exercise of rights procedures

All the aforementioned rights can be exercised with MiNET by contacting our Data Protection Officer by any means mentioned in the preamble, as a reminder:

  • electronically at webmaster@minet.net;
  • by post by addressing to: Data Protection Officer, MiNET, 5 rue Charles Fourier, 91011 Évry Cedex, France.

The exercise of these rights requires you to prove your identity by any means in accordance with Article 77 of Decree No. 2019-536 of May 29, 2019. This requirement aims to avoid any disclosure of your personal data to an unauthorized person.

MiNET undertakes to respond to your request as soon as possible and no later than one month from the receipt of your request. This period may be extended by two months due to numerous simultaneous or concomitant requests within the given time frame or due to a certain complexity, both in terms of substance or form, related to the said request. In this case, MiNET will inform you of this extension and the reasons for the delay within one month from the receipt of the request.

9. Modification of the privacy policy

This privacy policy may be modified or amended at any time in the event of legal or jurisprudential developments, decisions and recommendations from the CNIL, or practices.

In the event of a substantive modification to this policy, any new version will be brought to the attention of members by any means defined by MiNET, including electronically.

Any modification takes effect from its publication. It is therefore recommended to regularly consult the latest version of the privacy policy available on our website.

10. Language of the privacy policy

This privacy policy is written in French. An English translation is available for information purposes only. In the event of a dispute, the French version shall prevail.

11. Applicable law and competent jurisdiction

This privacy policy is subject to French and EU law. In the event of a dispute relating to the validity, interpretation, or execution of this policy, the parties shall endeavor to resolve it amicably. Failing this, the French courts shall have sole jurisdiction to hear the dispute.

12. Additional information

For any additional information, you can contact MiNET through any means mentioned in the preamble.

For any other more general information regarding the protection of personal data, you can consult the CNIL website: www.cnil.fr.