The protection of your personal data is important to the Group ENGIE and its business unit “Global Energy Management”.
For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”)), the company acting as data controller for your Personal Data (“we”, “us”, “our”) may be (i) the company of Group Engie with whom you are in contact or with whom you have a contract in place (ii) or the company of Group Engie which is the publisher of the website you use.
Which Personal Data do we use?
Visitors of our websites:
- We collect a limited amount of data from the visitors of our websites which we use to help us to improve the user experience and to help us manage the services we provide. This may include information such as electronic identification data (e.g. your IP address, login – whenever required) or information provided through our on-line contact forms or our extranet platforms (e.g. contact details, email address, postal address, etc.).
We process the following categories of Personal Data:
- Personal Data allowing the identification of the directors of your company and the persons authorised to represent it (surname, first name, passport or identity card number, date of birth, etc.);
- Personal Data relevant to the management of our business relationship (such as phone numbers and email addresses);
- Personal Data connected to our internal investigations, including checks linked to the verifications performed before entering into a business relationship and throughout our business relationship, checks regarding the application of the rules on sanctions, the fight against money-laundering and financing of terrorism, the prevention and detection of crime, etc.;
- records of all correspondence and communication between us, including electronic transactions and emails, telephone calls, instant messages or any other form of interaction and communication, only to the extent permitted by applicable law;
- Personal Data that we need in order to fulfil our legal and statutory obligations, including your transaction data, information required for the detection of any suspicious or abnormal activity;
- other information not mentioned above that is required for the organisation of events or conferences;
- in connection with the use of a video surveillance system to protect our offices and ensure the security of our staff, premises and data, any images, photos or videos of you that may be collected if you visit our offices, only to the extent permitted by applicable law.
How do we collect Personal Data?
The Personal Data we process may either be directly provided by you, or by our clients/counterparties/suppliers, or be obtained from the following sources in order to verify or enrich our databases:
- search engines such as World Check Risk Intelligence and LexisNexis;
- publications/databases made available by official authorities (e.g. the official journal);
- databases made publicly available by third parties.
Why and on which basis do we use the Personal Data?
We may only process Personal Data if the processing is necessary:
- to fulfil our legal and statutory obligations, such as the detection and prevention of any risk of a financial offence or crime (e.g. money laundering and financing of terrorism, market abuses);
- to execute the contract (in case of our clients/counterparties: to provide products and services, carry out instructions of our clients/counterparties and fulfil our commitments to our clients/counterparties; in case of our suppliers: to execute the vendor contract);
- to fulfil our legitimate interest, such as maintaining the security of our operations, IT systems and premises and fulfilling of our ethical obligations; and
- in certain cases, with your prior, free and informed consent for a specific processing.
We may use Personal Data among others for the following specific purposes:
- to fulfil our legal and statutory obligations and implement the procedures in place for the prevention of financial offences/crimes, such as procedures for assessing and checking business partners, due diligence procedures, ultimate beneficial ownership questionnaires and other questionnaires, etc.;
- to be able to provide proof of our business transactions by keeping a record of our interactions with our counterparties (by telephone, email or any other form of communication);
- to ensure the security of our operations and our premises;
- to provide products and services, carry out our counterparties’ instructions, fulfil our commitments to our counterparties and ensure that invoices are issued for this;
- to manage our business relationship by personalising our products and services, organising commercial events with data subjects, etc.;
- to be able to defend our rights in connection with any investigation involving a regulator or other competent authority in strict compliance with the applicable legislation.
We do not make decisions about Data Subjects based exclusively on automated processing that produce legal effects concerning them or similarly significantly affect them.
The provision of some of the Personal Data (e.g. name, address, etc.) is a condition to the conclusion of the contract between our clients/counterparties/suppliers and us.
The possible consequences of not providing your Personal Data could include our inability to meet our obligations under the contract between our clients/counterparties/suppliers and us or a breach by us of one or more obligations under applicable laws (e.g. accounting, tax or financial laws).
Who do we share the Personal Data with?
The Personal Data collected as part of this processing may be shared with ENGIE Group, internal and external service providers, such as our IT solution providers (facilities management, data maintenance, etc.), and with the staff of the companies, branches and subsidiaries working within the Global Energy Management Business Unit, and only for the purposes mentioned above.
We may also share Personal Data with:
- Government entities authorised to access and/or obtain your Personal Data in accordance with applicable law;
- The courts and tribunals of the judicial order in the event of a dispute involving you;
- Law enforcement authorities in the event of a finding or a suspicion of the occurrence of an offence involving you in accordance with or as required by applicable law.
In the event of company reorganisations (e.g. mergers or acquisitions), we may transfer your Personal Data to a third party, or an Engie Group company involved in the transaction (for example, a buyer) in accordance with applicable data protection law.
Transfers of Personal Data outside the European Economic Area
We may transfer your Personal Data to countries located outside of the European Economic Area (“EEA”).
In case your Personal Data is transferred to countries located outside of the EEA, we will ensure that appropriate safeguards are taken, such as:
- The country to which the Personal Data are transferred has benefited from an adequacy decision by the European Commission under Article 45 of the GDPR; or
- Standard data protection contractual clauses as approved by the European Commission pursuant to Article 47 of the GDPR have been established; or
- In case of a transfer of Personal Data to the United States, the transfer complies with the conditions imposed by the EU-US Privacy Shield under Article 45 of the GDPR.
For further information about transfers of Personal Data outside of the EEA, please consult the following link: https://edps.europa.eu/data-protection/data-protection/reference-library/international-transfers_en.
How long do we keep the Personal Data for?
The Personal Data are retained (i) for the period required to achieve the purposes described above, up to the time limits provided for by the applicable regulation; (ii) with regard to storage of the data for use as proof and as a response to requests from the competent authorities, up to the time limits provided for by the applicable regulations, such as the limit of five years for the retention of records of correspondence and communications between us; (iii) with regard to use for our defence in response to claims and/or disputes, for the period provided for by law, and for a reasonable additional period if needed.
What are your rights and how can you exercise them?
In accordance with applicable regulations, you have the following rights:
– To access: you can obtain information relating to the processing of the Personal Data, and a copy of such Personal Data.
– To rectify: where you consider that the Personal Data are inaccurate or incomplete, you can require that such Personal Data be modified accordingly.
– To erase: you can, under certain circumstances, require the deletion of the Personal Data, unless we have a compelling reason to keep it (e.g. a mandatory minimum retention period set forth by applicable law).
– To restrict: you can request the restriction of the processing of the Personal Data.
– To object: you can object to the processing of the Personal Data. Please note that you cannot object to processing that is necessary for the execution of the contract and for the fulfilment of a legal or statutory obligation to which we are subject. You have the absolute right to object to the processing of the Personal Data for direct marketing purposes, which includes profiling related to such direct marketing.
– To withdraw your consent: where you have given your consent for the processing of the Personal Data, you have the right to withdraw your consent at any time.
– To data portability: where legally applicable, you have the right to have the Personal Data you have provided to us be returned to you in a commonly used machine-readable format or, where technically feasible, transferred to a third party.
We implement adequate technical and organisational measures to ensure a level of security of your Personal Data that is appropriate to the risks.
We take appropriate measures to ensure that we report security incidents leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
How to contact us?
Should you have any questions relating to our use of the Personal Data or should you wish to exercise your rights, please send your request to our Data Privacy Manager and/or our Data Privacy team by email at firstname.lastname@example.org. We will try to comply with your request as soon as reasonably practicable and always under the timeframes set forth by applicable data protection law. Please note that we may need to retain certain of your Personal Data for certain purposes as required or authorised by law. Please also note that, if we have doubts about your identity, we may require you to provide us a proof of your identity to prevent unauthorised access to your Personal Data.
We also inform you that you may lodge a complaint with the competent supervisory authority, the name of which can be found at the following link: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.
We will inform you of any material changes through our usual communication channels.