Veolia Industries Global Solutions
3 June 2020
Veolia Industries Global Solutions (VIGS) undertakes strong commitments to the protection of personal data placed at the heart of its concerns.
This Policy may evolve from time to time, either due to the legal context in France and in the European Union or to recommendations or decisions made by the CNIL (French supervisory authority for the protection of personal data).
This Policy concerns only VIGS and its subsidiaries.
PERSONAL DATA COLLECTED, PURPOSES OF THE PROCESSING AND THE DPO
VIGS has set up an organization responsible for the correct application and the compliance with this policy, under the supervision of the Data Protection Officer (“DPO”).
Furthermore, VIGS takes actions to raise the awareness of its employees to the necessity of protecting personal data so any collection or processing shall not operate unless relevant for the intended purposes and unless such purposes are defined to guarantee they are lawful, specified, explicit and legitimate.
Any processing implemented by VIGS that may contain personal data are the subject of a full descriptive form, entered in the “Record of processing” held by VIGS’ Data Protection Officer (DPO).
VIGS thus ensures that the collection of personal data and their processing complies with:
- regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and
- law n° 78-17 of 6 January 1978 on the protection of personal data (French Data Protection Act).
VIGS has placed its DPO under the Group CCO’s authority in a view to guarantee their independence and to put the protection of personal data at the center of the company’s organizational structure.
VIGS relies on 6 golden rules so that any person collecting or processing personal data on its account:
- abides by the GDPR and ensures that personal data are collected, used and shared while respecting the rights of the concerned persons and the concept of “privacy by design”;
- is transparent and clear with the concerned persons about the purposes of the processing, about the purpose and means of its implementation and about the persons with whom their data will be shared; seeks the natural’s persons consent every time it is possible and proceeds without their consent onlywhere GDPR or the law allows it or where their prior consultation is impossible or may present a specific risk;
- seeks advice in case they have any doubt on how to process any personal data, confronts opinions with other practitioners, gets a legal advice or an advice from the competent supervisory authority if need be and documents their decision;
- bases the decision to collect, use or share personal data on the physical person’s interest in order to process only necessary, relevant, adequate, proportionate, accurate, timely and secure data for a period of time in conformance with the purposes of the processing;
- ensures that any information shared is strictly necessary to reach the purposes of the processing and to allow providers to render the services expected;
- makes sure that the security measures are proportionate to the risks involved and taken to preserve the availability, the confidentiality and the integrity of the processing.
CONCERNED PHYSICAL PERSONS’ INFORMATION
In accordance with GDPR, VIGS is committed to informing the concerned physical persons of the rights they are guaranteed by informing them about:
- the identity of the data controller;
- the purpose of the processing;
- where relevant, whether answers are obligatory or optional and what the potential consequences of their failure to answer are;
- the recipients of the data;
- their right to access, to rectification or to erasure on the data that concern them, the right to object to the processing for legitimate reasons, or to object to the processing of their data for marketing activities as well as the right to provide general or specific instructions for the processing of the data that concern them after their death;
- the period of time for which the data are stored.
VIGS informs all concerned physical persons that the personal data entered into an automated processing are listed in a Register and may be accessed by VESA’s internal audit, by the compliance department or the DPO, by the auditors, by people in charge of instructing alerts on behaviours that may violate the Group’s ethic rules and by its counsels or a competent authority and, in some cases, by the stakeholders involved in a merger or acquisition.
VIGS may share some of the personal data collected with Group employees or with service providers and suppliers, strictly within the necessary limits required for the fulfilment of their tasks.
VIGS ensures that they comply with the laws and regulations applicable for the protection of personal data and that they pay a special attention to their confidentiality.
Personal data collected by VIGS or on its behalf are stored by VIGS or its service providers particularly on cloud storage services.
For reasons, mostly technical or linked to Veolia Environnement SA’S international dimension, some data may be stored or accessed outside the European Union or the European Economic Area (EEA) territories. If so, VIGS ensures that effective measures, compatible with the GDPR’s requirements, are taken to offer an adequate level of protection for personal data in particular strict and appropriate physical, technical, organizational and
procedural measures to ensure the availability, the security and the integrity of the personal data modulated depending on their nature or sensitivity.
VIGS seeks to limit the storage duration of personal data to the period of time necessary to complete the operations for which they have been collected and processed as permitted by the applicable regulation. Personal data are then irreversibly destroyed or anonymized.
SECURITY AND ALERTS
VIGS has adopted measures to ensure the security of the personal data collected in a manner that is appropriate to their sensitivity and to the attached risks. Thus, the IT teams and their providers or their subcontractors implement the requirements set out in Veolia’s Cybersecurity policy in particular those relating to:
- the identification of cyber risks,
- the implementation of adapted network protections through filter devices,
- the maintenance in security conditions of the various infrastructure components, in particular, application of the softwares updates and upgrading of the components to avoid their use for other purposes than maintenance,
- the enhancement of the infrastructure components such as servers or workstation,
- regular checks of the infrastructure or applications vulnerabilities by monitoring and using a scanner of technical or applicative vulnerabilities,
- the encryption of the data at rest when necessary and of data in transit,
- the use of security good practices when developing new applications, in particular web applications,
- the allocation of users rights complying with the “lesser duty” rule and the right to be informed,
- an access protection by implementing strengthened identification mechanisms and by a regular review of the accounts,
- the security supervision of the personal data and application through the centralization and use of logs,
- the preservation of factors proving the implementation of the above measures.
When a breach affects personal held by VIGS, VIGS will act promptly after it has knowledge of such breach in order to inform the CNIL where appropriate and, if need be, to identify the flaws and implement adapted security measures.
PHYSICAL PERSONS’ RIGHTS
In accordance with the personal data protection act of 6th January 1978, as modified, physical persons whose data are collected have, within the limits of the law, a right to access, to rectify, if applicable to portability and to erasure of the personal data that concern them and a right to limitation.
They also have a right to give the data controller instructions concerning the fate of their personal data after their death.
Each physical person concerned by a processing may exercise their rights by writing to the person in charge at VIGS of that specific processing whose identity was indicated at the moment the collection occurred then by sending an email to VIGS’ DPO using the following address: [email protected].
For any further information relating to this policy, please send an email to VIGS’ DPO
([email protected]) or contact the Group Chief Compliance Officer.
In general terms, any concerned person always has the possibility to contact the French supervisory authority (https://www.cnil.fr or send a mail to the following address: 3, Place de Fontenoy, 75007 Paris - France).