Anchor zone L1 - Full

Purpose of the processing

The purpose of the processing is:

  • receipt of requests relating to data subjects’ rights (access, rectification, erasure (right to be forgotten), withdrawal of consent, restriction of processing, portability, if applicable) sent to the DPO via the data protection contact form available online on, via the generic email address of the DPO ([email protected]), or by letter, depending on the case;
  • preliminary investigation and monitoring of such requests, in collaboration with the internal departments of SUEZ or of its entities concerned by the requests, or in collaboration with the French Data Protection Authority (CNIL) if a complaint is lodged with it by the data subjects (where appropriate);
  • -overall monitoring of the management of requests to exercise rights by the DPO for the purposes of internal reporting or statistics.

Processing enables SUEZ to comply with Article 7 (Conditions for consent) and where appropriate Articles 13 et seq. of the GDPR (Information and access to personal data) and with the French Data Protection Act.

Legal basis

Processing is necessary for compliance with the legal obligation of SUEZ or its entities in the capacity of data controller(s) (compliance with Article 6 (1) c) of the GDPR and with the French Data Protection Act).

Categories of data processed

The following categories of data are processed:

  • Identity and contact details of the applicant (surname, first name, email address, postal address, where appropriate)
  • Description of the purpose of the request, date and reference;
  • Additional information requested by the DPO if the request is unclear, such as the legal entity/entities of SUEZ concerned by the request, reference number of the job advertisement, in the event of a request for access or erasure by an applicant;
  • Written proof (identity card or passport) required to check the identity of the applicant making the request, if necessary;
  • Exchanges relating to management of the request until it is closed.

The personal data processed may result from direct collection, if the data subjects send a request to exercise their rights or a request for information to the DPO.

In other cases, the personal data processed may result from indirect collection, in particular:

  • If the DPO receives a request to exercise rights or for information from a body that is duly authorised to act on behalf of the data subject in connection with a mandate or requisitioning (e.g. a collection agency);
  • If the personal data were collected by a data processor of SUEZ by virtue of a contract, in compliance with the GDPR (e.g. in order to conduct an investigation);
  • If the data subject lodged a complaint or made a request for information to the CNIL, and the CNIL decides to pass on the request to the DPO so that the DPO can give a suitable reply to the data subject.

Mandatory or optional nature of the data collection

Collection of the data is necessary for the processing to be carried out.

Automated decision-making

The processing does not provide for automated decision-making.

Data subjects

The data processing concerns people who exercise their rights on the basis of Article 6 of the GDPR, applicants, employees, people who are subject to a contract with SUEZ or its entities, or people mentioned in a mandate in connection with requisitioning or similar proceedings.

Categories of data recipients

The personal data collected are solely intended for the DPO and the Departments that need to know them in order to be able to identify the person and answer the request. Where appropriate, this may be the Department responsible for handling customer complaints, or other SUEZ entities if these entities are directly concerned by the handling of the request.
If the matter is referred indirectly to the DPO by third party bodies (bodies appointed to act on behalf of the data subjects) or by the CNIL following a complaint, the DPO will pass on to these bodies the data required to handle the complaint.

Transfers of data outside the EU

No transfers of data are made outside the European Union, unless a transfer is necessary to manage the request by the data subject, and in compliance with the GDPR.

Data storage period

Copies of identity papers are deleted immediately after the check carried out by the DPO.
Personal data processed in connection with a request to exercise rights or a request for information are stored for the calendar year of the request, plus five years.
Personal data processed in connection with a complaint lodged with the CNIL are stored for 10 years after the case has been closed.

Your rights

In accordance with the regulations applicable regarding personal data, you have the right to access, rectify, object to use, erase, restrict processing, withdraw consent, and portability (where appropriate) which you can exercise by email ([email protected]) or at the postal address of SUEZ, for the attention of the SUEZ DPO (Tour CB21, 16 place de l’Iris, 92040 La Défense Cedex, France), indicating your surname, first name and address, and attaching a copy of both sides of your identity papers. You can also give instructions about what happens to your data after your death.

To find out more about your rights, visit the website of the CNIL:

In the event of a difficulty concerning the handling of your request to exercise your rights relating to personal data, you can contact the SUEZ DPO again by email ([email protected]) or by letter sent to the address of SUEZ.

If you feel that the DPO’s response is unsatisfactory, you can lodge a complaint with the French Data Protection Authority (CNIL), by sending a letter to: Commission Nationale Informatique et Libertés, 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France, or online at