Purpose of the Processing
The data is processed for the purposes of handling reports submitted by whistleblowers within SUEZ (including occasional workers) and outside SUEZ regarding breaches of the Group’s rules of ethics and applicable anti-corruption statutes and regulations.
The data is processed to comply with legal obligations created by the Transparency, Anti-Corruption and Modernisation of the Economy Act 2016
(Law 2016-1691 of 9 December 2016, known as the “Sapin II Act”), Decree 2017-564 of 19 April 2017 on the procedures for collecting reports from whistleblowers, and the Parent Company and Corporate Customer Due Diligence Act 2017
(Law 2017-399 of 27 March 2017).
Categories of Data Processed
The following categories of personal data are collected directly and indirectly by the Ethics and Compliance Division of SUEZ:
- (i) the identity, position, and contact details of the whistleblower;
- (ii) the identity, position, and contact details of the individuals implicated by the report;
- (iii) the identity, position, and contact details of the individuals involved in receiving or processing the report;
- (iv) any facts, information, and documents that may substantiate the report;
- (v) information gathered while investigating the actions reported;
- (vi) the investigation report;
- (vii) measures taken as a result of the whistleblower’s report.
Mandatory or Optional Nature of the Data Collection
The collection of the data is necessary for the report to be processed.
The data subjects are the whistleblower and the individual implicated by the report.
The personal data collected is exclusively sent to authorised individuals (the Ethics and Compliance Director responsible for the processing and the Group Ethics Officer) and to individuals that they select (local ethics officers, if any), or to individuals with internal authorisation (Legal Department, Human Resources Department), to assist them with the investigation following receipt of the report. The Internal Auditing Division can also be tasked with conducting additional investigations at the request of SUEZ.
Transfers of Data Outside the EU
Processing of reports handled by the Group’s Ethics and Compliance Division that are submitted by whistleblowers located outside the European Union (from within or outside the Group) or reports regarding employees located outside the European Union may be transferred outside the European Union for the sole purposes of processing them, provided appropriate safeguards are put in place.
Data Storage Period
The personal data collected will be stored for as long as is required to process the report.
Data collected that does not fall within the scope of the ethics whistleblowing programme will be immediately destroyed or archived.
If the report falls within the scope of the programme but does not result in disciplinary or legal proceedings, the personal data in the report will be destroyed or archived in anonymous form no later than two months after the end of the investigation.
If disciplinary or legal proceedings are initiated against one or more individuals implicated by the report or against a whistleblower who has submitted an abusive report, the personal data pertaining to the whistleblower’s report will be stored by SUEZ until the proceedings have reached an end. This data will then be archived in anonymous form or destroyed no later than two months after the proceedings have reached an end.
Under applicable data protection regulations, you have a right to access, correct, and restrict the processing of your personal data. To exercise these rights, please contact firstname.lastname@example.org or write to the SUEZ Data Protection Officer (DPO) at Tour CB21, 16 place de l’Iris, 92040 La Défense Cedex, France, indicating your first and last name and address.
Individuals implicated by whistleblowing reports will not under any circumstances be allowed to obtain the identity of the whistleblower by asserting their right to access their data.
To exercise your rights, please include a copy of a valid ID, unless the information sent with your request allows us to identify you with certainty. To learn more about your rights.
If you feel that the DPO’s response is unsatisfactory, you can lodge a complaint with France’s National Data Protection Authority, the CNIL, either by writing to Commission Nationale Informatique et Libertés, 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France, or online.
(Amended 30 August 2019)