Personal Data Protection (PDP)

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and any other subsequent French legislation, including its implementing regulations.

LIL: French Data Protection Act of 6 January 1978, as amended.

Personal data: any data relating to an identified or identifiable natural person; an "identifiable natural person" means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing: within the meaning of the GDPR, "processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes of processing and means of the processing of personal data.

Processor: the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

DPO: the Data Protection Officer advises and supports the body that appoints them with compliance issues.

Your personal data is processed by Dalkia SA, headquartered at Tour Europe – 33, Place des Corolles – TSA 77655 – 92099 Paris La Défense Cedex – in its capacity as the controller.

The personal data categories we process are listed in the appendix for each of the types of processing carried out.

The processing we carry out on your personal data is for the following purposes:

• managing our relationship,
• monitoring and delivering the services you contracted with us,
• managing your account in the Customer Area,
• responding to your requests for information,
• keeping you informed,
• managing any complaints,
• managing the recording of your calls,
• contributing to help us improve our services,
• presenting the features of our services recognised by our customers,
• managing your participation in our events,
• managing a whistleblowing incident,
• responding to your requests regarding your personal data.

Dalkia processes your personal data on grounds of:

• statutory obligations. This concerns all processing required by French and European legislation.
• pre-contractual and contractual actions. This concerns the processing carried out to prepare for the signing of contracts with current and future Dalkia customers, and their performance.
• its legitimate interest. This concerns all processing carried out that is necessary for running the company.
• your consent. This concerns the processing carried out to keep you informed, invite you to events or present the features of our services recognised by our customers.

Your data is processed by authorised persons at Dalkia. We may be required to share your personal data in response to legal obligations or administrative or judicial decisions.

We may therefore be required to communicate them to persons authorised by state agencies and services.

We may also share them with partners or service providers, in order to process all or part of your personal data, to the extent necessary for the performance of the tasks entrusted to them (for example, the operation of our website, the provision of services related to the operation or maintenance of the information system, the provision of services concerning the recording of your calls, or for carrying out investigations). Your personal data will be shared only with authorised persons.

To the extent possible, your data are not transferred outside the European Union. However, since some of our service providers are located in countries outside the European Economic Area, your personal data are processed in these countries. In such cases, we ensure that the transfer is carried out in a manner that complies with the applicable personal data protection regulations.

Dalkia has an Information System Security Policy (ISSP) in place. In particular, the Group Information System Security Officer is responsible for its deployment within the group.

Dalkia implements a set of systems deemed appropriate by IT security experts to ensure a good level of protection for Information Systems, in particular:

• protection against viruses and malware,
• network supervision,
• protection from hacking,
• software updates,
• securing the premises,
• protection of workstations and servers.

Dalkia regularly updates and strengthens these systems in line with technological capabilities and any new vulnerabilities identified. The behaviour and vigilance of each user is also a key factor in the security of IT resources. Accordingly, everyone using the information system must comply with Dalkia’s IT charter. This is updated whenever safety or personal data protection regulations change significantly.

Dalkia has implemented security control measures.

All such security measures are intended to ensure that the processed data are appropriately protected against unauthorised access, modification, disclosure or destruction.

The main measures are as follows:

Employees, subcontractors, service providers and contact persons at Dalkia who need access to your personal data to perform their roles, functions and responsibilities:

• are authorised and have access which is strictly reserved for them;
• are given information and/or trained, depending on their roles, functions and responsibilities;
• have signed, according to their functions and responsibilities, a confidentiality undertaking and have been informed of the risks and penalties that apply in the event of breach of this obligation.

We encrypt data when necessary.

We conduct both internal audits and audits of our suppliers processing personal data on our behalf.

Dalkia ensures that third parties, service providers and processors within the meaning of the GDPR comply with and apply appropriate security measures.

In accordance with the regulations, we store your personal data only for no longer than is necessary for the fulfilment of the purposes indicated. These storage periods are based on:

• our statutory or regulatory obligations,
• the duration of your contract, if you have entered into a contract with Dalkia,
• the time required to process your request or complaint,
• the period during which your user account in the Customer Area remains open,
• your interest in our services,
• the need to maintain a history of your interactions with us, for the proper management of our business relationship.

Under the conditions set out in the applicable regulations, you have a right of access, rectification and objection, the right to portability, erasure and limitation of processing, and the right to give instructions on the storage, erasure and communication of your personal data after your death.

These rights may be exercised by contacting Dalkia SA:

By post: DPO Service – Tour Europe – 33, Place des Corolles – TSA 77655 - 92099 Paris La Défense Cedex,

By email: dpo@dalkia.fr.

If you are not satisfied despite Dalkia’s response to your request, you are entitled to file a complaint with the French supervisory authority, CNIL.

We undertake to process personal data in accordance with the statutory provisions in force. This policy will be reviewed based on improvements on personal data protection regulation.

See attached document