Legal notices
PERSONAL DATA POLICY
1. Preamble - Who we are
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals regarding the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter the "GDPR") sets out the legal framework applicable to the processing of personal data.
The GDPR strengthens the rights and obligations of data controllers, processors, data subjects and data recipients. It requires that data subjects be informed of their rights in a concise, transparent, comprehensible, and easily accessible manner.
Within the scope of its activity, GIE GLD SERVICES, GIE whose registered office is at 52, Avenue du Canada - 35200 Rennes, registered with the Rennes Trade and Companies Register under number 380 855 486 (hereinafter the "Company"), and data controller, implements the personal data processing operations described below.
For a proper understanding of the present policy, it is specified that:
· "Candidate": a natural person applying for a job on the https://recrutement.groupeleduff.com website, which is managed by the Company. The job may be offered within the Company, the Groupe Le Duff entities concerned, or companies operating establishments under the Groupe Le Duff brand (franchisees).
· "Data controller": the natural or legal person who determines the purposes and means of the personal data processing operations defined in this policy. Under this policy, the data controller is the Company.
· "Processor": the natural or legal person who processes personal data on behalf of the data controller. In practice, this refers to the service providers with whom the Company works and who handle the personal data it processes.
· "Data subjects": refers to persons who can be identified, directly or indirectly. They are referred to herein as "applicants».
· "Recipients" refers to the natural or legal persons who receive personal data. Data recipients may therefore be both internal recipients and external bodies.
2. Purpose
The Company implements and operates the processing of personal data relating to applicants for positions on the https://recrutement.groupeleduff.com website within the Company, the Le Duff Group entities concerned, or companies operating establishments under the Le Duff Group brand (franchisees).
The purpose of this policy is to meet the Company's obligation to provide information and to formalize the rights and obligations of applicants about the processing of their personal data.
The processing of personal data may be managed directly by the Company or by a subcontractor specifically appointed by it.
This policy is independent of any other document that may apply within the contractual relationship between the Company and candidates (cookies, commercial or partnership contracts, etc.).
3. General principles and commitment
The Company will only process candidates' data if it relates to personal data collected by the Company for its services, or for the branches and franchisees of the Le Duff Group brands or processed in connection with the job offers of these entities.
Applicants will be informed of any new processing, modification, or deletion of existing processing.
4. Data collected
DATA COLLECTED AND PROCESSED:
· Identification: surname / first name / title / job title
· Contact details: telephone / e-mail / postal address
· Professional life: Training / Professional experience / Diploma / Awards / Interview report / names of employer companies / information on professional career and information communicated by the candidate in the Curriculum Vitae and covering letter sent to the Site.
· Photo when the right is granted largely, any information and personal data communicated spontaneously as part of the application.
5. Sources of data
The Company collects Candidate data from the data provided by the Candidate via the forms or electronic forms completed by him/her.
The Company informs that it may also enrich Candidates' profiles with information concerning them, namely information collected (i) during exchanges with Candidates, be they written, telephone or physical interviews and (ii) from professional social networks or from any public information source, when this information is useful for managing the application.
6. Purpose of processing
This information is processed for the purpose of managing the application. The data may also be included in a CV library, which will enable the Company to offer other vacancies to the Applicant, where appropriate.
To facilitate external and internal recruitment, the Company uses the Digital Recruiters software, published by BANKESS, to post job offers, collect applications, and manage them.
The Company is responsible for processing the personal data it receives, while BANKESS acts as a subcontractor.
Given its purpose, which consists of processing the personal data of candidates responding to job offers and the integration of data on candidates within the Company's CV library, the processing of personal data is necessary for the pursuit of the Company's legitimate interests, namely the management of recruitment processes, as well as the execution of pre-contractual measures that may exist between the Company and candidates responding to job offers.
7. Legal basis
In view of its purpose, which is to process the personal data of candidates responding to job offers and the integration of data on candidates within the Company's CV library, the processing of personal data is necessary for the pursuit of the Company's legitimate interests, namely the management of initial recruitment processes, as well as the performance of pre-contractual measures that may exist between the Company and candidates responding to its job offers.
The processing operations described in this policy are necessary for the performance of pre-contractual measures taken at the request of the applicant.
8. Recipients of data
This data is hosted in France and will be forwarded to the persons in charge of recruitment within the Company to enable them to study the application. Answers corresponding to fields marked with an asterisk are compulsory and failure to answer may compromise the follow-up of the application. In other cases, they are optional and have no effect on the examination of the application.
The Company ensures that data is only accessible to the following authorized internal or external recipients:
· Corporate officers and employees of the Company, Groupe Le Duff entities, companies operating under the Groupe Le Duff brand (franchisees),
· if necessary, employees of the Company's technical service providers involved in the operation of the "recrutement.groupeleduff.com" website (e.g. translation service, IT service provider, reprographics, etc.)
· control services,
· public bodies, exclusively to meet the Company's legal obligations, legal auxiliaries, ministerial officers,
· the Company's communications department,
· the Company's IT department.
Except for communication to the persons defined above, personal data will not be communicated, transferred, leased, or exchanged for the benefit of any third party whatsoever.
In its capacity as a subcontractor of the Company, BANKESS is authorized to access personal data, when necessary, as part of its duties to administer and maintain the Company's careers site and application management tool but may not pass such data on to its own subcontractors without the Company's prior consent. BANKESS may transmit personal data to a judicial authority upon request.
9. Transfer of personal data
If a candidate wishes to apply for a position in a country outside the European Union, the Company may transfer the personal data collected to recipients (as defined in Article 8) located in the said country, if this is necessary for the purposes of examining the application.
Where the country concerned does not benefit from an adequacy decision (which means that it offers personal data a degree of protection equivalent to that in force in the European Union), the Company ensures, as far as possible, that the transfer is subject to one of the following appropriate safeguards:
· standard contractual clauses approved by the CNIL,
· adherence to an approved code of conduct,
· compliance with a certification mechanism certified by an approved body,
· binding company rules approved by the CNIL.
IN THE EVENT THAT THESE MEASURES CANNOT BE PUT IN PLACE, THE APPLICANT IS INFORMED THAT THE TRANSFER INVOLVES HIGH POTENTIAL RISKS OF VIOLATION OF HIS/HER PERSONAL DATA (LOSS OF AVAILABILITY, INTEGRITY, OR CONFIDENTIALITY OF PERSONAL DATA, WHETHER ACCIDENTAL OR UNLAWFUL): THE APPLICANT THEREFORE SPECIFICALLY CONSENTS TO THIS TRANSFER.
10. Retention period
The duration of data retention is defined by the Company in the light of its legal and contractual obligations.
Data will be kept for a maximum of one (1) year after collection.
However, data required to establish proof of a right or contract, or to comply with a legal obligation, will be kept for the period stipulated by the law in force.
At the end of the retention period defined for each category of personal data processed, and subject to the provisions allowing archiving strictly necessary for the exercise of a right and proof of that right for the duration of the applicable limitation periods or by virtue of the legal obligations to which the Company is subject, the Company:
· destroys personal data, or
· irreversibly anonymize the personal data, so that it no longer constitutes personal data within the meaning of the applicable regulations.
Candidates are reminded that deletion or anonymization are irreversible operations and that the Company is no longer able to restore them.
11. Right of access
Candidates traditionally have the right to request confirmation from the Company as to whether data concerning them is being processed.
Candidates also have a right of access, subject to compliance with the following rules:
· the request must be made by the person concerned, accompanied by a copy of an up-to-date identity document.
· the request must be made in writing to the following address Référent Données Personnelles - Groupe LE DUFF - 52 avenue du Canada 35200 RENNES or at the following e-mail address: vosdonneespersonnelles@groupeleduff.com
Candidates have the right to request a copy of their personal data processed by the Company. However, in the event of a request for an additional copy, the Company may require candidates to bear the cost.
If candidates submit their request for a copy of the data electronically, the information requested will be supplied in a commonly used electronic form, unless otherwise requested.
Candidates are informed that this right of access may not relate to confidential information or data, or to data for which communication is not authorized by law.
12. Updating and rectification
You may exercise this right by contacting your usual contact, or failing that, the Company's Communications Department.
To ensure that the personal data collected by the Company is regularly updated, the Company may ask candidates to comply with its requests.
The Company may not be held responsible for failure to update personal data if the applicant fails to do so.
13. Right to erasure
Candidates' right to erasure shall not apply in cases where processing is carried out to meet a legal obligation.
Apart from this situation, candidates may request the deletion of their data in the following limited cases:
· when the personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
· when the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing.
· when the data subject objects to processing that is necessary for the purposes of the legitimate interests pursued by the Company and there is no compelling legitimate reason for the processing.
· when the data subject objects to the processing of his/her personal data for canvassing purposes, including profiling.
· when personal data has been processed unlawfully.
14. Right to limitation
Applicants are informed that this right is not intended to apply insofar as the processing carried out by the Company is lawful and all personal data collected is necessary for the performance of the commercial contract.
15. Right to data portability
The Company grants the right to data portability in the case of data communicated by candidates themselves, on online services offered by the Company and for purposes based solely on the consent of the persons concerned. In this case, the data will be communicated in a structured, commonly used, and machine-readable format.
16. Automated individual decisions
The Company does not make automated individual decisions.
17. Post-mortem rights
Candidates are informed that they have the right to formulate directives concerning the conservation, deletion, and communication of their post-mortem data. The communication of specific post-mortem directives and the exercise of their rights can be carried out:
· by e-mail to vosdonneespersonnelles@groupeleduff.com
· or by post to the following address Référent Données Personnelles - Groupe LE DUFF - 52 avenue du Canada 35200 RENNES, accompanied by a signed copy of an identity document.
18. Justification - Manifestly excessive exercise of rights
Regarding all the above-mentioned rights enjoyed by the Applicant and in accordance with legislation on the protection of personal data, the Applicant is informed that these are rights of an individual nature which can only be exercised by the person concerned in relation to his/her own information. To meet this obligation, the identity of the person concerned will be verified.
Please note that if a data subject's requests are manifestly unfounded or excessive, in particular because of their repetitive nature, the Company may:
· demand payment of a reasonable fee that takes account of the administrative costs incurred in providing the information, making the communications, or taking the action requested; or
· refuse to comply with such requests.
19. Optional or compulsory answers
Candidates are informed on each personal data collection form of the compulsory or optional nature of their answers by the presence of an asterisk.
Where answers are compulsory, the Company will explain to applicants the consequences of failing to reply.
20. Right of use
Candidates grant the Company the right to use and process their personal data for the purposes set out above.
21. Subcontracting
The Company informs candidates that it may involve any subcontractor of its choice in the processing of their personal data.
In this case, the Company shall ensure that the subcontractor complies with its obligations under the GDPR.
The Company undertakes to sign a written contract with all its subcontractors and imposes the same data protection obligations on subcontractors as it does. In addition, the Company reserves the right to audit its subcontractors to ensure compliance with the provisions of the GDPR.
Currently in its capacity as one of the Company's subcontractors, BANKESS is authorized to access personal information, when necessary, as part of its duties to administer and maintain the Company's careers site and application management tool.
22. Security
The Company is responsible for defining and implementing the technical security measures, whether physical or logical, that it deems appropriate to prevent the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of data.
These measures mainly include:
· the use of security measures for access to premises (locked offices, badges, etc.).
· secure access to our computer workstations and smartphones (regularly updated access codes).
· login and password for all our business applications.
· data access authorization management (specific to our finance, accounting, and communications departments).
· VPN for remote connections.
· complex passwords for our Wi-Fi network, modified regularly.
To this end, the Company may engage the assistance of any third party of its choice to carry out vulnerability audits or penetration tests, at intervals it deems necessary.
In any event, the Company undertakes, in the event of a change in the means used to ensure the security and confidentiality of personal data, to replace them with means of superior performance. No change may lead to a reduction in the level of security.
In the event of subcontracting all or part of the processing of personal data, the Company undertakes to contractually impose security guarantees on its subcontractors, by means of technical data protection measures and appropriate human resources.
23. Data breach
In the event of a personal data breach, the Company undertakes to notify the Cnil under the conditions prescribed by the GDPR.
If the said breach poses a high risk to candidates and the data has not been protected, the Company:
· will notify the candidates concerned.
· will provide the candidates concerned with the necessary information and recommendations.
24. Data processing register
The Company maintains a data processing register.
25. Right to lodge a complaint with the CNIL
Candidates concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the Cnil in France, if they consider that the processing of personal data concerning them does not comply with European data protection regulations, at the following address:
Cnil - Service des plaintes :
3, place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 Tél : 01 53 73 22 22
26. Changes
The present policy may be modified or amended at any time in the event of changes in legislation, case law, Cnil decisions and recommendations or practices. Any new version of this policy will be brought to the attention of applicants by any means chosen by the Company, including electronically (for example, by e-mail or online).
27. Further information
For further information, please contact our Data Protection Officer at the following e-mail address vosdonneespersonnelles@groupeleduff.com
For more general information on the protection of personal data, please consult the Cnil website www.cnil.fr