Purpose of the processing
The purpose of the processing is:
- receipt of requests relating to data subjects’ rights (access, rectification, erasure (right to be forgotten), withdrawal of consent, restriction of processing, portability, if applicable) sent to the DPO via the data protection contact form available online on www.suez.com, via the generic email address of the DPO (firstname.lastname@example.org), or by letter, depending on the case;
- preliminary investigation and monitoring of such requests, in collaboration with the internal departments of SUEZ or of its entities concerned by the requests, or in collaboration with the French Data Protection Authority (CNIL) if a complaint is lodged with it by the data subjects (where appropriate);
- -overall monitoring of the management of requests to exercise rights by the DPO for the purposes of internal reporting or statistics.
Processing enables SUEZ to comply with Article 7 (Conditions for consent) and where appropriate Articles 13 et seq. of the GDPR (Information and access to personal data) and with the French Data Protection Act.
Categories of data processed
The following categories of data are processed:
- Identity and contact details of the applicant (surname, first name, email address, postal address, where appropriate)
- Description of the purpose of the request, date and reference;
- Additional information requested by the DPO if the request is unclear, such as the legal entity/entities of SUEZ concerned by the request, reference number of the job advertisement, in the event of a request for access or erasure by an applicant;
- Written proof (identity card or passport) required to check the identity of the applicant making the request, if necessary;
- Exchanges relating to management of the request until it is closed.
The personal data processed may result from direct collection, if the data subjects send a request to exercise their rights or a request for information to the DPO.
In other cases, the personal data processed may result from indirect collection, in particular:
- If the DPO receives a request to exercise rights or for information from a body that is duly authorised to act on behalf of the data subject in connection with a mandate or requisitioning (e.g. a collection agency);
- If the personal data were collected by a data processor of SUEZ by virtue of a contract, in compliance with the GDPR (e.g. in order to conduct an investigation);
- If the data subject lodged a complaint or made a request for information to the CNIL, and the CNIL decides to pass on the request to the DPO so that the DPO can give a suitable reply to the data subject.
Mandatory or optional nature of the data collection
Categories of data recipients
If the matter is referred indirectly to the DPO by third party bodies (bodies appointed to act on behalf of the data subjects) or by the CNIL following a complaint, the DPO will pass on to these bodies the data required to handle the complaint.
Transfers of data outside the EU
Data storage period
Personal data processed in connection with a request to exercise rights or a request for information are stored for the calendar year of the request, plus five years.
Personal data processed in connection with a complaint lodged with the CNIL are stored for 10 years after the case has been closed.
In accordance with the regulations applicable regarding personal data, you have the right to access, rectify, object to use, erase, restrict processing, withdraw consent, and portability (where appropriate) which you can exercise by email (email@example.com) or at the postal address of SUEZ, for the attention of the SUEZ DPO (Tour CB21, 16 place de l’Iris, 92040 La Défense Cedex, France), indicating your surname, first name and address, and attaching a copy of both sides of your identity papers. You can also give instructions about what happens to your data after your death.
To find out more about your rights, visit the website of the CNIL: www.cnil.fr/fr/les-droits-pour-maitriser-vos-donnees-personnelles.
In the event of a difficulty concerning the handling of your request to exercise your rights relating to personal data, you can contact the SUEZ DPO again by email (firstname.lastname@example.org) or by letter sent to the address of SUEZ.
If you feel that the DPO’s response is unsatisfactory, you can lodge a complaint with the French Data Protection Authority (CNIL), by sending a letter to: Commission Nationale Informatique et Libertés, 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France, or online at https://www.cnil.fr/.