
Purposes of processing
The processing of data conducted by the Company – SUEZ S.A. – or one of its subsidiaries (hereinafter collectively referred to as “SUEZ Group”) aims to:
- Collect any report (“Report”) that does not represent an Alert, as defined below;
- Collecting and managing alerts (“Alerts”) on:
- a crime or misdemeanor, a violation or attempted concealment of violation of an international undertaking by France, a unilateral measure by an international organization adopted on the basis of such an undertaking, European Union (“EU”) legislation, laws or regulations, or a threat or damages to the public’s interest;
- instances of corruption, influence peddling and conflicts of interest;
- and/or conduct and scenarios contravening the SUEZ Group Ethics Charter;
- and the existence or occurrence of risks of serious breaches that the SUEZ Group, its direct or indirect subsidiaries or its subcontractors or suppliers may commit in their shared activities with respect to human rights and basic civil liberties, the health and safety of individuals, and the environment.
- a crime or misdemeanor, a violation or attempted concealment of violation of an international undertaking by France, a unilateral measure by an international organization adopted on the basis of such an undertaking, European Union (“EU”) legislation, laws or regulations, or a threat or damages to the public’s interest;
The management of the abovementioned Alerts has the following purposes: processing of Alerts through checks; conducting investigations and interviews; gathering documents and analyses; defining follow-up actions to be taken; documenting completed steps; protecting persons affected by the Alerts; exercising and defending lawful rights; and performing audits of the whistleblowing system (hereinafter the “System”).
Legal basis
In France, this processing is completed by SUEZ S.A. and the relevant SUEZ Group entities in an effort to fulfill:
- On the one hand, their lawful obligations resulting from the provisions (i) of Articles 6 et seq., and Article 17.II., paragraph 2 of French Law No. 2016-691 of December 9, 2016 on transparency, the fight against corruption and modernized business practice, as amended by France’s Law No. 2022-401 of March 21, 2022 – known as the “Sapin II” Law, and (ii) Article L. 225-102-4 of the French Code of Commerce (“Code de commerce”).
On the other, their legitimate interests in (i) gaining knowledge of any act or scenario contravening their internal procedures and being able to respond in the event of Alerts to conduct or a situation that contravenes the Ethics Charter and (ii) collecting Reports.
In the rest of the European Union (“EU”), the SUEZ Group entities in question process this personal data in their legitimate interests to gain knowledge of any scenario that contravenes its Ethics Charter; and so as to provide a response. Each SUEZ Group entity established outside the EU oversees that personal data processing activities comply with the regulations in force.
Types of data processed
With respect to a Report (excluding Alerts), the data processed is that provided by the Affected Person in the form or via the [email protected] email address.
In terms of collecting and processing Alerts, the types of personal data collected by SUEZ’s Ethics and Compliance Department – whether directly or indirectly –are strictly necessary for checking the alleged facts:
When an Alert is escalated:
Information sent by the Alert instigator must remain fact-based, demonstrating a direct connection with the subject of said Alert. Pursuant to the principle of data minimization, the Alert instigator is responsible for restricting personal data disclosures to bare necessities, in an endeavor to safeguard the fulfillment of individual rights and freedoms which are likely to be affected by the Alert. In particular, escalating an Alert may not include facts, information or documents, regardless of their form or medium, of which disclosure is prohibited by provisions covering national defense secrecy, medical secrecy, the secrecy of judicial deliberations, the secrecy of investigations or judicial inquiries, or the secrecy of relations between lawyers and their clientele.
When an Alert is received and directed:
The below types of data may be processed:
- Identity, departments and contact details of the Alert instigator as and where required, provided that said instigator provides such data;
- Identity, departments and contact details of the persons who are the subject of the Alert;
- Identity, departments and contact details of the persons involved, consulted and heard in order to collect and process the Alert;
- Identity, departments and contact details of the enablers and persons connected to the Alert instigator;
- Reported facts;
- Information collected at the time of checking the reported facts;
- Reporting minutes for spot checks;
- Follow-up actions on the Alert.
Cases in point for sensitive data and data breaches:
Depending on the subject of the Alert, SUEZ S.A. and relevant SUEZ Group entities may also be required to process sensitive data pursuant to the General Data Protection Regulation (“GDPR”) and/or data pertaining to violations, convictions and security measures with regard to natural persons. In such circumstances, the processing of this data is authorized under:
- Legal requirements in force at SUEZ Group entities;
- and the need for SUEZ Group entities to lawfully observe, exercise and defend a right.
Mandatory and optional aspects of data collection
It is mandatory that data be provided to enable SUEZ S.A. or the relevant SUEZ Group entity to respond to and/or process the escalated Alert or Report. This data is marked with an asterisk on the form.
Affected persons
Persons affected (hereinafter “Affected Persons”) by processing are as follows:
- As regards Alerts:
- the Alert instigator: SUEZ Group employee, supplier, customer or any other third party;
- the person who is the subject of the Alert;
- the persons involved, consulted and heard in order to process the Alert;
- and the enablers and persons connected to the Alert instigator.
- the Alert instigator: SUEZ Group employee, supplier, customer or any other third party;
In respect of a Report: the instigator and the persons involved, consulted and heard in order to process said Report.
Data recipients
Personal data collected is exclusively intended for persons authorized (hereinafter “Authorized Persons”) to have such knowledge insofar as it falls within the scope of their respective responsibilities, namely:
- SUEZ’s Ethics and Compliance Department as well as Ethics and Compliance Officers or Representatives (“ECO” or “ECC”) within the Business Units (“BU”) who receive the Alert or Report;
- Other Authorized Persons are those selected (or appointed) by an ECO or SUEZ’s Ethics and Compliance Department to assist in or delegate the processing of the Alert. Any person required to process an Alert must first sign a Non-Disclosure Agreement (“NDA”).
Where appropriate, this data may be forwarded to the judicial authorities, in compliance with the legal and regulatory provisions in force.
Data transfer outside the EU
Under specific circumstances, personal data processed by the SUEZ Group Ethics and Compliance Department may be disclosed to Authorized Persons within other SUEZ Group entities and external service providers (particularly lawyers) in the context of transfers outside the European Union, for the sole purpose of checking and processing Alerts or Reports. To ensure continuity protecting personal data, these transfers require the implementation of appropriate safeguards, in accordance with Article 44 of the GDPR.
Storage period
As far as collecting and processing any Report that does not represent Alerts is concerned, data is stored in an active database until a final decision is made on follow-up actions to be taken. Then, at a later stage, Alerts are temporarily archived for the timeframe strictly necessary to form evidence ahead of potential monitoring and litigation and/or perform quality audits on the Report procedure and/or enable SUEZ Group entities to honor their corporate social responsibility and meet their accounting and tax requirements.
In the case of collecting and processing Alerts, the personal data collected shall be stored for the timeframe needed to deliver processing:
Should the Alert not be followed up by disciplinary action or legal proceedings, the data is stored:
- In an active database until a final decision is made on follow-up actions to be taken regarding the Alert, which must be completed within a reasonable timeframe upon receipt;
- And it is temporarily archived at a later stage for the timeframe strictly necessary to protect the Affected Persons, conduct additional investigations, form evidence ahead of potential monitoring and litigation, perform quality audits on the System and/or enable SUEZ Group entities to honor their corporate social responsibility and meet their accounting and tax requirements;
Should the Alert be followed up by disciplinary action or legal proceedings, the data is stored:
- In an active database until proceedings are complete;
- And it is temporarily archived at a later stage until appeals against the decision are lodged and/or to perform quality audits on the System and/or to enable SUEZ Group entities to honor their corporate social responsibility and meet their accounting and tax requirements.
Affected persons’ rights
Pursuant to the Regulations, Affected Persons are entitled to their right to access, correct and delete their personal data, in addition to their right to object to processing for reasons owing to their particular circumstances (when processing is based on the legitimate interests of SUEZ S.A. or SUEZ Group entities), and their right to restrict data processing – all of which they can exercise by postal correspondence; marked “CONFIDENTIAL” and followed by the name of the relevant SUEZ Group entity: SUEZ Ethics and Compliance Department (“Direction de l'Ethique et de la Conformité SUEZ”) Tour Altiplano, 4 Place de la Pyramide, 92800 Puteaux - France or by emailing [email protected].
On the subject of Alerts, the right to correct must not allow for amendments made on a retroactive basis to information found within an Alert or collected, as it was directed. Where admissible, exercising this right may not lead to preventing a chronological reconstruction of any potential amendments to important investigative information. This very right exclusively applies to correct fact-based data backed by evidence, which neither deletes nor replaces the data collected from the onset – even if such data were incorrect.
In the event of a complaint regarding the processing of their personal data, Affected Persons may contact the Data Protection Officer (“DPO”), as appointed by the SUEZ Group, via postal correspondence – which is marked “CONFIDENTIAL” and followed by the name of the relevant SUEZ Group entity: Data Protection Officer, (“Délégué à la protection des données personnelles”) SUEZ Tour Altiplano, 4 Place de la Pyramide, 92800 Puteaux - France or by emailing [email protected]. Assuming they consider that they have not received the information they requested, they may notify their country's personal data supervisory authority (in France, this is the Commission nationale de l'informatique et des libertés, 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07, FRANCE. https://www.cnil.fr/).