Foreword

The Fil Bleu transport network is operated by Keolis Tours on behalf of Tours Métropole Val de Loire (Syndicat de Mobilités de Touraine, the organising authority).

Fil Bleu - Keolis Tours makes every effort to protect your personal data in accordance with applicable European and French regulations.

This privacy policy ("Privacy Policy") is intended to inform you about the purposes and conditions under which we process the personal data that we may collect through our various channels, such as our commercial services, the websites that we offer such as www.filbleu.fr, our Fil Bleu mobile app, our social network pages or our potential events.

Our Cookie Management Policy, which can be accessed under the heading "Cookie Management" in the footer of the www.filbleu.fr website, supplements this Privacy Policy to inform you of the purposes and conditions of use of cookies or navigation data that may be deployed on our websites and mobile apps.

We encourage you to take the time to read this Privacy Policy so that you have all the information you need to understand how your personal data is used and to freely and fully exercise your rights under applicable legislation and this Privacy Policy.

We encourage you to take the time to read this Privacy Policy so that you have all the information you need to understand how your personal data is used and to freely and fully exercise your rights under applicable legislation and this Privacy Policy.

1. General provisions

Data controller

The person responsible for processing your personal data is Keolis Tours, except when we are acting on the instructions and exclusively on behalf of our principals. In this case, we will inform you (i) either at the time of collection of your personal data, (ii) or in this Privacy Policy, or (iii) when you wish to take steps with us to protect your personal data.

General conditions of use

This Privacy Policy is an integral part of the General Terms and Conditions of Use of www.filbleu.fr and its online services, the General Terms and Conditions of Sale and Use of our services or the General Terms and Conditions of Use of some of our apps and should be read in conjunction with them. These conditions can be found under the heading "Legal Notice": www.filbleu.fr/mentions-legales. For mobile applications, the applicable GGU can be viewed on the apps themselves..

Applicable legislation and competent administrative authority

The Privacy Policy is governed by the General Data Protection Regulation no. 2016/679 (GDPR) and by the French Data Protection Act no. 78-17 of 6 January 1978 as amended (Loi Informatique et Libertés), under the regulatory control of the French personal data protection authority, the CNIL (Commission Nationale de l'Informatique et des Libertés [National Commission for Information Technology and Civil Liberties] - www.cnil.fr ).

Links to third-party websites

Our websites and mobile apps may contain or use links to websites, mobile apps, products or services that are operated by third parties (including advertising sites, our partners or social networks). Please note that the Privacy Policy does not extend to these third parties, over whom we have no control and for whom we cannot be held liable. We encourage you to review the privacy policies, procedures and practices of these third parties

Protection of minors

For the purposes of the digital delivery of our products and services, we may collect personal data from minors under the age of 16, under the control and with the consent of their legal representatives (parents or guardians). Users of our digital services who inform us that they are under 16 years of age have a discretionary right to have their data erased (subject to our legal retention obligations described in Article 3 ("Use of data collected and retention periods") below), which they may exercise directly or through their legal representative, at any time and without reason, by contacting us in accordance with the conditions set out in Article 9 below ("Contacting us").

2. Personal data

The Privacy Policy applies to personal data that we may collect from or about you (see below), including from the following sources:

  • Completion of subscription or collection forms on paper or via electronic media that we offer or in preparation for or during operations or events that we organise and in which you participate;
  • Visits to one of our physical outlets, requests for information and/or purchases relating to one of our services;
  • Requests for contact or exchanges by email/letter and/or telephone with our customer service team;
  • Receipt of supplier/prospect information for pre-contractual and contractual relationship management;
  • Processing of video surveillance images from cameras installed in our facilities open to the public (sales offices and transport vehicles);
  • Validation of tickets, access control to our services (urban, collective or individual transport, vehicle parking, etc.) or processing of offences and recovery of fines;
  • Use of our services, including our ticketing systems and applications, as well as transport on demand and park and ride services;
  • Processing of offences and recovery of fines;
  • Browsing the websites we offer or using our mobile app;
  • Receipt and sending of emails, text messages and other electronic messages between you and us;
  • Telephone or voice exchanges between you and us or one of our service providers;
  • Exercising your rights under the GDPR by post and/or email to Keolis Tours; and
  • Recruitment of personnel, the reception and management of your application by Keolis Tours and Keolis Tours Access by post and/or email and to build a CV library.

Compulsory information requested at the time of collection is indicated by an asterisk. If you do not provide the required information, your order or request cannot be processed.

3. Use of collected data and retention periods

We collect and use your personal data for the main purposes described below. We will keep your personal data only for as long as is necessary to fulfil the various purposes of data collection and retention, except where we are permitted or required by law to keep it longer.

These maximum periods apply unless you request the deletion or cessation of use of your data prior to the expiry of these periods for a reason consistent with any legal obligation we may have.

The table below summarises the various maximum retention periods that apply:

Purpose

Types of data collected

Life span

Managing your user accounts on our website filbleu.fr

  • Connection data
  • Identification data

1 year from user's inactivity

Managing your M-Ticket user accounts on the Fil Bleu mobile app
  • Connection data
  • Identification data
  • Bank details

As long as the user has not withdrawn their consent, except in cases where an account has been inactive for over 1 year

(your tixiPASS account linked to M-Ticket falls under the policy of its publisher Airweb, not Fil Bleu).

Managing commercial prospecting and sending news to customers and prospects

  • Identification data
  • Data on your personal life

3 years from the end of the contractual relationship for the customer and from the last contact initiated by the prospect. 

Managing and registering for tram/bus/P&R (park and ride) services

  • Identification data
  • Bank details

3 years from the end of the contractual relationship for prospecting

5 years from the end of the contractual relationship

Managing and registering for the transport on demand service

  • Identification and login data
  • Pick-up address and destination, date, time and location

The data will be deleted/anonymised 2 years after the last booking. The journey history will be kept for 12 months/a year (rolling).

Managing, issuing and using tickets (customer relationship management, distribution of media and tickets, sales channel management and ticket validation management)

  • Identification data
  • Validation data
  • Photo

Data relating to the customer relationship is kept for the duration of the contractual relationship and 3 years after the end of it for customers and prospects.

Data relating to complaints during the post-payment period (information required for invoicing, including validation data, except for the location), is kept for 4 months from the date of the events (then 13 months in intermediate storage).

Data relating to unpaid bills is removed from the blacklist as soon as it is cleared. Data is kept for a maximum of 2 years in the absence of regularisation.

Validation data may be retained for a maximum of 48 hours and for the sole purpose of preventing online fraud. The data is anonymised for statistical purposes.

The photo will be kept until expiry of the network subscription card, unless the holder objects.

Conducting surveys on service usage and customer satisfaction with services

  • Identification data
  • Travel and service use patterns

Anonymising responses after the survey has been conducted and studied

Responding to your requests for information/questions

  • Identification and application data
  • Applications received
  • Responses provided

Duration of the processing of your application (maximum 1 year)

Managing and recording the history of purchases and services, guarantees and collection

  • Identification data
  • Order and subscription data
  • Payment data

10 years from the last event, except for data concerning methods of payment, which are processed by Keolis Tours' payment service providers only for the duration of the prescription period for payment transactions

Manging complaints

  • Identification data
  • Order and subscription data
  • Responses provided

5 years from the closure of the claim

Following up reports compiled and the corresponding fines

Detecting habitual offending

Issuing settlement notices, and processing reminders and claims following an offence report

  • Identification data
  • Location data
  • Offence data

Until the fine is paid

12 months maximum

1 year in active database, then 2 years in archive

Manging cookies: audience measurement

  • Cookies

To find out how long we keep your data in order to manage cookies, please see our Cookie Management Policy.

Preventing incidents and recording offences using body-worn cameras

  • Images and sounds
  • Location data
30 days maximum

Prosecuting offenders and providing evidence during judicial, administrative and/or disciplinary proceedings using body-worn cameras

  • Extracted images and sounds
  • Location data

Duration of the procedure

Training and educating sworn officers using body-worn cameras

  • Anonymised data

Anonymous

Managing video surveillance systems on business premises and transport vehicles

  • Recordings
  • Identification data
  • Location data

14 days maximum

Recording calls to the customer service team for training purposes and in the event of incidents

  • Call sounds
  • Identification data

6 months maximum

Managing your recruitment and building a CV database

  • Identification data
  • Data on your professional and personal life (CV, etc.)

The duration of the study of applications, plus an additional 2 years maximum from the date of sending the reply if you are not selected, in order to contact you again for other opportunities, unless you have stated otherwise

Statistical analyses of network usage
  • Anonymised statistics

Anonymous

Managing competitions/giveaways

  • Data required to take part in the competition and to select the winners

Data is kept for the duration of the competition until the prizes are awarded (stored in archives for 5 years)

Lost and found items
  • Identification data
  • Bank details for outstanding fees

12 months from the date of registration for the service

Managing requests to exercise rights and information under the GDPR

  • Identification data, including identity documents
  • Applications received
  • Responses provided

5 years from receipt of the complete application

The identity document is kept only for the duration of the verification period

Manging pre-litigation and litigation and gathering evidence

  • Data required for the ongoing procedure

Duration of the procedure

4. Legal basis for processing personal data

1. Processing purposes based on contractual (or pre-contractual) performance:

  • Managing, issuing and using transport tickets;
  • Managing your user accounts on our sites and/or apps;
  • Registering and managing Fil Bleu services;
  • Managing and recording the history of purchases and services, guarantees, collection and invoicing;
  • Information on the current status of our network and on any incidents and disruptions to the provision of our services;
  • Manging complaints;
  • Managing and registering for the transport on demand service; and
  • Managing staff recruitment by Keolis Tours. 

2. Processing purposes based on your consent:

  • Managing commercial prospecting and sending news to customers and prospective customers;
  • Managing your user accounts on our website filbleu.fr
  • Managing your M-Ticket user accounts on the Fil Bleu mobile app
  • Conducting satisfaction surveys;
  • Managing cookies and trackers on our websites and apps, excluding technical cookies and trackers required for operation.
  • Building a CV library,

3. Processing purposes based on legitimate interest:

  • Managing your information requests/questions;
  • Recording calls to the customer service team;
  • Managing lost and found items;
  • Managing pre-litigation and litigation and gathering evidence: data required for the ongoing procedure;
  • Recording calls on station intercom systems (emergency calls);
  • Carrying out statistical analyses on network usage;
  •  Organising competitions and awarding prizes.
  • Rolling out the use of body-worn cameras on an experimental basis in accordance with article 113 of the Mobility Framework Act (Loi d'Orientation des Mobilités).
  • Installing video surveillance systems in spaces to ensure the safety of goods and persons in accordance with the French Internal Security Code; and
  • Managing staff recruitment by Keolis Tours.

4. Data collected on the basis of legal obligation :

  • Managing fraud and collecting reports and statements, and detecting habitual offending;
  • Managing your requests to exercise your rights (access, rectification, opposition, etc.) under the GDPR.

5. Data transmission

Your personal data may be disseminated:

1) Internally

To the authorised departments of Keolis Tours that need to know about it for the above-mentioned purposes, including the customer service team, the human resources department, the security and fraud department and the sworn officers, the authorised persons of the security department, staff members, the legal department, etc.

2) Within the Keolis group

We may share your personal data with certain entities of the Keolis Group (e.g. Keolis SA and Keolis Solution), in order to ensure the continuity of our services, our relationship with our customers, prospects or users, the websites that we offer and the mobile apps.

For staff recruitment, if you apply via the Keolis Group recruitment portal, your account and application data will be processed by Keolis SA, as a separate data controller, which will forward your application for processing by Keolis Tours, as a separate data controller.

3) To service providers and subcontractors

We may share your personal data with trusted third parties (service providers and subcontractors), located inside or outside the European Union, to help us operate our services and, in particular, to ensure the proper functioning of our websites and mobile apps.

As part of staff recruitment, your personal data that is processed to facilitate the management of your application may also be disseminated to service providers, as well as to external organisations if they are employed by Keolis Tours within the framework of recruitment processes (recruitment agencies).

4) To the organising authority, transport operators in the region/department and local public stakeholders

Customer ticketing data may be transmitted to the organising authority and/or to other operators exclusively in order to ensure the interoperability of tickets and subscriptions.

To help ensure public safety, the urban supervision centre of the city of Tours can consult certain video surveillance footage streams in real time.

Upon expiry of the Public Service Delegation Contract, your customer data will be transmitted to the organising authority and/or the new transport operator of the Fil Bleu network to ensure the continuity of the public service.

5) To business partners

We share certain pseudonymous data, which does not contain any direct identification elements, for the purposes described in Article 3 ("Use of collected data and retention periods") above concerning cookies and trackers collected with partners who collect and process such cookies/trackers. The latter are separately/jointly responsible for the processing operations carried out.

6) To third parties for legal reasons

In the event that we are required to comply with laws and regulations, and legal requests and orders, or if permitted by law (i.e. to protect and defend rights, for situations that threaten life, health or safety, etc.), such as the transmission of outstanding debt reports to the Public Prosecutor’s Office, or the transmission of video surveillance images to the Judicial Police in the event of a court order.

If you have given your express consent, some of your data may be passed on to third-party commercial partners and/or the organising authority exclusively for the purposes set out.

7) In any event

In any event, we always require these recipients to provide sufficient confidentiality and security guarantees and to take the physical, organisational and technical measures necessary to protect and secure your personal data, in accordance with applicable legislation.

All of your personal data is processed and hosted primarily within the EU. However, data may be transferred outside the EU. Any transfer of your data outside the EU is carried out with appropriate guarantees that comply with applicable regulations, either because the recipient countries benefit from the outcome of an adequacy decision, or because these transfers are governed by the implementation of standard contractual clauses approved by the European Commission. For more information on the management of these transfers, you can contact us using the contact addresses indicated in article 9 below ("Contacting us").

6. Data security

We secure your personal data by implementing appropriate physical, organisational and technical measures to prevent unauthorised access, use, disclosure, modification or destruction in accordance with applicable regulations.

These measures include:

  • Storage on secure servers;
  • Securing your data, particularly via pseudonymisation procedures, encryption of transmitted data and the implementation of means to guarantee the confidentiality, integrity and availability of your data;
  • Limited access to your data on a "need to know" basis; and
  • Implementing internal organisational measures (access control, password management policy, etc.) to protect your data, including the implementation of a personal data breach management procedure.

Although we take all possible measures to protect your personal data, we cannot guarantee the security of information transmitted on our websites or mobile apps when a security flaw affects your device or browser.

7. Your personal data rights

Under the GDPR and the French Data Protection Act, you have various rights, including the right to:

1) Access, modification, updating and deletion of your personal data

You may request access to, and review, your personal data held and processed by us, obtain a paper or electronic copy of your personal data and request that it be corrected, updated or deleted. 

2) Opposition

You may, at any time, request that some of your data no longer be processed. 

3) Portability

You may ask for your data being processed to be provided to you in an open and machine-readable format, either for your own use or for transfer to another data controller. 

4) Restricted processing

In some cases, you may request restricted processing of your data. 

5) Complaint to a supervisory authority

Without prejudice to any other legal remedy, you have the right to file a complaint with the supervisory authority of the country of the European Union in which you reside, work or in which you consider your rights have been violated. 

6) Post-mortem data

You can decide what happens to your post-mortem data. 

7) You can exercise all these rights by sending us a written request,

accompanied by proof of identity (where necessary to verify your identity), to the contacts mentioned in Article 9 below ("Contacting us").

We will endeavour to respond to your requests as quickly as possible and in accordance with applicable regulations. However, in some cases, we may not be able to respond favourably in order to fulfil our legal or contractual obligations.

8. Managing cookies

Cookie management is covered by our Cookie Management Policy.

 

9. Contacting us

To exercise your rights or if you have any questions about our Privacy Policy, please contact us via the address below. For any queries regarding the processing of your personal data, you may also contact our Data Protection Officer.

  • By post: Fil Bleu - Keolis Tours - Data Protection Officer - avenue de Florence 37700 ST PIERRE DES CORPS;
  • Via the form available here.

10. Changes to the Privacy Policy

Keolis Tours may make changes to the Privacy Policy from time to time.

We encourage you to check this page regularly for changes and to stay informed about the measures we take to protect your personal data.

The Privacy Policy was last updated on Friday 28th July 2023