This notice applies to personal data processed in the context of the management of requests addressed to the Data Protection Officer (DPO) of Veolia Environnement SA ("Veolia"), the data controller, whose registered office is at 21, rue la Boétie - 75008 Paris, France.
Purpose of the processing
The purpose of the processing is :
-
the receipt of requests to exercise rights (access, rectification, erasure (right to be forgotten), withdrawal of consent, limitation of processing, portability, where applicable), addressed to the DPO via the dedicated data protection contact form accessible online from the website www.veolia.com, via the DPO's generic email box ([email protected]), or by post, as appropriate;
-
the examination and monitoring requests, in conjunction with the internal departments of Veolia or its entities concerned by these requests, or in conjunction with the CNIL services in the event of a referral to the latter by the persons concerned (where applicable);
-
the overall monitoring of the management of requests to exercise rights by the DPO for internal reporting or statistical purposes.
Legal basis
This processing is necessary to comply with a legal obligation to which Veolia or its entities are subject as data controller(s) in compliance with the GDPR and the French Data Protection Act.
Categories of data processed
The categories of data processed are the following:
-
Identification and contact details of the applicant (surname, first name, e-mail address, postal address, if applicable);
-
Description of the subject of the application, date and reference;
-
Additional information requested by the DPO in the event of imprecise requests, such as the legal entity(ies) of Veolia concerned by the request, the reference of the announcement number in the event of a request for access or a request for deletion on the part of an applicant;
-
Supporting documents (such as copy of identity card or passport) necessary for the verification of the identity of the applicant who submitted the application, if required;
-
Exchanges relating to the management of the application until its closure.
The personal data processed may result from direct collection, when data subjects submit a request to the DPO to exercise their rights or request information.
In other cases, the personal data processed may result from indirect collection, in particular if :
-
the DPO receives a request for the exercise of rights or for information from a body duly authorized to act on behalf of and for the account of the data subject in the context of a mandate or requisition (for example, a collection agency);
-
the personal data has been collected via Veolia's processor under a contract, in compliance with the GDPR (e.g. to carry out a survey);
-
the CNIL's services have received a complaint or a request for information from the data subject and they decide to convey this request to the DPO so that the DPO can provide an appropriate response to the data subject.
The collection of data is necessary for the execution of this processing.
The processing does not involve automated decision-making.
People involved
The data processing concerns persons exercising their rights on the basis of Article 6 of the GDPR, applicants, employees, persons bound by Veolia or its entities by a contract or persons named in a warrant in the context of a requisition or similar procedure.
Categories of data recipients
The personal data collected is exclusively intended for the DPO(s) and the departments that need to know in order to identify the person and respond to the request. This may include, where appropriate, the department responsible for handling complaints or other Veolia entities when these entities are directly concerned by the processing of the request.
When the DPO is contacted indirectly by third-party organizations (organizations mandated to act in the name and on behalf of individuals) or by the CNIL services following a complaint, these organizations are provided by the DPO with the data necessary to process the case.
Transfers of data outside the EU
No data is transferred outside the European Union, except where a transfer is necessary to process the data subject's request and in compliance with the GDPR.
Retention periods
Copies of identity documents are deleted after verification by the DPO. Personal data processed in the context of a request to exercise rights or a request for information are kept for the calendar year of the request, plus five years.
Personal data processed in the context of a complaint to the CNIL are kept for 10 years after the closure of the case.
Your rights
In accordance with the regulations applicable to personal data, you have a right of access, rectification, opposition, deletion, limitation of processing and withdrawal of consent, portability (if applicable), which you may exercise by email ([email protected]) or at Veolia's postal address for the attention of Veolia's DPO (30 Rue Madeleine Vionnet / 93300 - Aubervilliers - France), specifying your last name, first name, address and enclosing a copy of both sides of your identity card. You can also define directives concerning the fate of your data after your death.
To find out more about your rights, you can consult the CNIL website (www.cnil.fr/fr/les-droits-pour-maitriser-vos-donnees-personnelles)
If you have any difficulty in processing your request to exercise your rights concerning your personal data, you may again contact Veolia's DPO by post or by mail at the above address. If you feel that you are not satisfied with the DPO's response, you can submit a complaint by post to the Commission Nationale Informatique et Libertés, 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 or online (https://www.cnil.fr/).