1. Definitions
GDPR : Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and any other subsequent text of French law including its implementing texts
LIL : French “Informatique et Libertés” law of January 6, 1978 amended.
Personal data : any data relating to an identified or identifiable natural person; is deemed to be an “identifiable natural person” a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more specific elements specific to their physical, physiological, genetic, psychological, economic, cultural or social identity
Processing : within the meaning of the GDPR, “processing” corresponds to any operation or set of operations carried out or not using automated processes and applied to personal data, such as collection, recording, organization , structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, reconciliation or interconnection, limitation , erasure or destruction
Data Controller : the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and means of the processing
Data Processor : the natural or legal person, public authority, service or other body which processes personal data on behalf of the controller
Data subject : these are the natural persons whose personal data are subject to processing.
DPO : the Data Protection Officer, or Data Protection Delegate in French, is the person responsible for ensuring the protection of personal data within the organization which designated him and for monitoring compliance with the regulations in force and applicable to the protection of personal data
2. Who is responsible for the processing carried out on your personal data?
The person responsible for processing personal data covered by this Privacy policy is:
DALKIA SA – Tour Europe – 33, place des corolles – TSA 77655 - 92099 Paris La Défense Cedex
3. What are the different processing activities of your personal data that can be implemented by Dalkia? (The objectives pursued? The legal justifications? The data retention periods?)?
In accordance with applicable regulations, Dalkia ensures compliance with all general principles applicable to the processing of personal data.
As such, Dalkia ensures in particular that:
- Personal data is only collected for explicit purposes, determined in advance and undertakes not to subsequently process them in a manner incompatible with these purposes;
- Only personal data strictly necessary for the pursuit of the purpose of the processing can be collected and ensures for each processing that it can validly invoke one of the legal bases authorizing the implementation of processing of personal data. When the provision of personal data is mandatory and conditions the conclusion of a contract, Dalkia ensures that the persons concerned are informed in advance;
- Personal data does not be kept only for a period not exceeding that necessary for the purposes for which they are processed.
To be as transparent as possible with regard to the processing of personal data concerning you, you will find below a table containing all the processing carried out by the company Dalkia acting as data controller, with the different purposes of the processing. , the legal bases allowing their implementation as well as the retention periods of the data applied.
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|||
|
|
||
|
|
||
|
|
||
|
|
|
|
|
|
|
|
4. Who has access to your personal data?
In order to be able to provide its services and within the strict framework of each purpose of the processing implemented by the company Dalkia, the following categories of recipients are likely to receive communication of personal data:
- Internal personnel of the Dalkia company, subject to an obligation of confidentiality and specially authorized to process personal data with regard to their functions
- The various suppliers, commercial partners and technical service providers of the Dalkia company, specially authorized to process personal data on its behalf and in accordance with the requirements of the applicable regulations
- Authorities legally authorized within the framework of their missions or the exercise of a right of communication
5. How do we secure your personal data?
Dalkia has an Information Systems Security Policy (PSSI). The group's information systems security manager is responsible for its deployment within the group.
Dalkia implements a set of measures recognized as relevant by IT security experts to ensure a good level of protection of Information Systems and in particular:
- protection against viruses and malware,
- network monitoring,
- protection against intrusions,
- software updates,
- securing premises,
- protection of workstations and servers.
Dalkia regularly develops and strengthens these systems by adapting them to technological possibilities and new vulnerabilities identified. The behavior and vigilance of each user is also a key element of IT asset security. To do this, each user of the information system must respect the Dalkia IT charter. This is updated whenever safety or PDP regulations evolve significantly.
Dalkia has implemented security control measures.
All these security measures are intended to ensure that this data is adequately protected against unauthorized access, modification, disclosure or destruction of the processed data.
These measures include the following:
Dalkia employees, subcontractors, service providers and contacts who need access to your personal data to exercise their roles, functions and responsibilities:
- are authorized and have access strictly reserved for them;
- are made aware and/or trained, according to their roles, functions and responsibilities;
- have signed, according to their functions and responsibilities, a confidentiality undertaking and have been informed of the risks and sanctions in the event of failure to comply with this obligation.
We encrypt data when necessary.
We regularly carry out audits of our suppliers processing personal data on our behalf as well as internal audits.
Dalkia ensures that third parties, service providers and subcontractors within the meaning of GDPR respect and apply appropriate security measures
6. Are personal data subject to transfer to a country outside the European Union?
As a matter of principle, Dalkia strives to minimize situations in which personal data could be transferred to a country outside the European Union. However, it may happen that the use of services provided by a service provider or a third-party application may involve, within the meaning of the regulations, a transfer of data to a country located outside the European Union. In these situations, Dalkia will ensure that processing involving a transfer of data outside the European Union can only take place provided that it ensures a sufficient and appropriate level of protection of your personal data. As such, Dalkia, with the support of its data protection delegate, will use one of the mechanisms provided for by the regulations to regulate these transfers, unless it is possible to benefit from an exemption. in particular situations and under specific conditions.
However, following recent developments in European jurisprudence and in particular the invalidation of the "Privacy Shield" (Agreement which allowed the transfer of data between the European Union and American operators adhering to its data protection principles without other formality), Dalkia will also ensure, in accordance with the recommendations of the European Data Protection Board relating to measures that complement transfer mechanisms intended to ensure compliance with the EU level of personal data protection, to assess the practical effectiveness of the chosen transfer mechanism with regard to the legislation of the third country. If it emerges from this analysis that the chosen transfer mechanism does not offer a level of protection essentially equivalent to that of the EU, Dalkia will ensure, as far as possible, that additional measures (technical, organizational or contractual) are put in place and regularly evaluated.
7. What rights do you have over your personal data and how can you exercise them?
Under the conditions provided for by the applicable regulations, you have a right of access, rectification and opposition, a right of portability, erasure, limitation and the right to define guidelines relating to conservation. , the erasure and communication of your personal data after your death.
To find out more about the rights you have, you can consult the dedicated page of the National Commission for Information Technology and Liberties (CNIL):https://www.cnil.fr/fr/les-droits-pour-maitriser-vos-donnees-personnelles
You have the possibility to exercise your rights by contacting the data protection officer (“DPO”) of DALKIA SA:
- By post: DPO – Tour Europe – 33, place des corolles – TSA 77655 - 92099 Paris La Défense Cedex,
- Electronically:dpo@dalkia.fr
If, despite the response provided by Dalkia to your request, you are not satisfied, you have the possibility of submitting a complaint to the National Commission for Information Technology and Liberties (CNIL)
8. Review and update of our data protection policy
The content of this data protection policy is part of a dynamic review process for processing under Dalkia's responsibility, which is subject to regular updates.
Dalkia may therefore be required to modify this confidentiality policy in order to:
- To modify the list of treatments as well as their conditions of implementation
- To integrate regulatory and jurisprudential developments