Purpose of the Processing
The purpose for which the data is processed is, depending on the nature of the message, specified in the contact form:
- (1) collecting and processing ethics reports submitted by whistleblowers within SUEZ (including occasional workers) and outside SUEZ regarding breaches of the Group’s rules of ethics and applicable anti-corruption statutes and regulations (the internal “anti-corruption” whistleblowing programme provided for under the Sapin II Act);
- (2) collecting reports within the scope of the procedures for collecting reports from whistleblowers (the general whistleblowing programme required under the Sapin II Act);
- (3) collecting and handling reports regarding risks to human rights, basic freedoms, individual health and safety, and the environment, in accordance with French legislation on the duty of care of parent companies and instructing companies;
- (4) collecting and responding to requests for information or questions regarding ethics (particularly those related to the implementation of the SUEZ “Ethics Charter”) or the SUEZ group’s duty of care (particularly those related to the SUEZ “Human Rights Policy”), outside the scope of any legal obligations or applicable regulations.
This data is processed on the following legal basis: (a) in cases (1) to (3) described above, to comply with the legal obligations requiring the existence of a whistleblowing programme; (b) in case (4) described above, in the legitimate interest of SUEZ.
Categories of Data Processed
The categories of personal data directly and indirectly collected by the SUEZ Ethics and Compliance Department are strictly necessary to verify the accuracy of the reported allegations, and can include the following, depending on the context:
When submitting the report:
Information furnished by whistleblowers in their reports must remain factual and must be directly related to the subject of the report. In accordance with the principle of data minimisation, whistleblowers must limit the transmission of personal data to what is strictly necessary, in order to safeguard the rights of individuals potentially concerned by the report.
Upon receipt of the report and during the investigation:
- (i) the identity, position, and contact information for the whistleblower, if he or she provides this data;
- (ii) the identity, position, and contact information of the individuals implicated by the report;
- (iii) the identity, position, and contact details of the individuals involved in receiving or processing the report;
- (iv) the alleged misconduct being reported;
- (v) information gathered while investigating the actions reported;
- (vi) the investigation report;
- (vii) measures taken as a result of the whistleblower’s report.
The specific case of sensitive data and data on criminal offences:
Special categories of personal data (“sensitive data”) may be processed, as provided for in Article 9, Paragraph 2 (f) of the GDPR, when such processing is necessary for the establishment, exercise, or defence of legal claims.
The data collected and processed within the context of the professional whistleblowing programme may also include data on criminal offences, convictions, and security measures concerning natural persons. This data must be collected and processed exclusively in accordance with the provisions of Article 10 of the GDPR and Article 46 of the French Data Protection Act.
Mandatory or Optional Nature of the Data Collection
The collection of the data is necessary for the report to be processed.
The data subjects are the whistleblower and the individual implicated by the report.
The data collected is exclusively sent to individuals authorised to access it within the scope of their official duties (Sustainable Development, Human Resources, Environmental and Industrial Risks for issues related to the duty of vigilance, or the Ethics and Compliance Director specially tasked with handling whistleblowing reports and the Group Ethics Officer for all ethics-related issues), as well as to individuals they select or individuals with internal authorisation (e.g. local ethics officers or, where applicable, the Legal Department), in order to allow them to assist with the investigation following receipt of the report. The Internal Audit Department can also be tasked with conducting additional investigations at the request of SUEZ. In limited cases requiring the intervention of outside service providers, the data may be sent to individuals bound by a contract with SUEZ (or with the relevant SUEZ entities) setting out their obligations under the GDPR.
Some laws and regulations strictly limit the disclosure of information (particularly information allowing a whistleblower or the individuals implicated by a report to be identified following an investigation into the report’s legitimacy), with the exception of disclosure to judicial authorities. If we find it necessary to disclose such information, prior written consent will be obtained from the individual in question via a specific form.
Transfers of Data Outside the EU
Reports processed by the Group’s Ethics and Compliance Department that are submitted by whistleblowers located outside the European Union (from within or outside the Group) or reports regarding employees located outside the European Union may, in some cases, be transferred to authorised personnel in other SUEZ Group entities or to outside service providers (and in particular to lawyers) outside the European Union for the sole purposes of investigating or processing these reports. To ensure the uninterrupted protection of this personal data, all such transfers are subject to the implementation of appropriate safeguards as per Article 44 of the GDPR.
Data Storage Period
The personal data collected will be stored for as long as is required to process the report.
If the report falls within the scope of the Group’s legal or regulatory obligations (cases (1) to (3) described above) but does not result in disciplinary or legal proceedings or in any change in internal rules, the personal data in the report will be destroyed or archived in anonymous form no later than two months after the end of the investigation.
If disciplinary or legal proceedings are initiated against one or more individuals implicated by the report or against a whistleblower who has submitted an abusive report, the personal data pertaining to the whistleblower’s report will be stored by SUEZ or the relevant SUEZ entities until the proceedings have reached an end. This data will then be archived in anonymous form or destroyed no later than two months after the proceedings have reached an end.
If any action is taken as a result of the report, SUEZ may store the data collected in its intermediate archives for the time needed to ensure that the whistleblower is protected or to allow ongoing wrongdoing to be observed.
The data may be stored in intermediate archives for a longer period if SUEZ or its entities are legally required to do so (for instance, to comply with corporate accounting, social security, or tax obligations) or if they wish to preserve evidence in support of future legal action; in the latter case, the data may be stored up to the maximum limitation period for claims.
In other cases (see case (4) above), the data collected is immediately destroyed or anonymised.
Your Rights (potential whistleblowers, individuals potentially implicated by their reports, or individuals whose data is processed under the whisteleblowing programme, such as whistleblowers, individuals implicated by their reports, presumed victims of alleged misconduct, witnesses, and individuals interviewed during investigations)
Under applicable data protection regulations, you have a right to access, correct, delete (except in cases (1) to (3) as described above), oppose (except in cases (1) to (3) as described above), and restrict the processing of your personal data. To exercise these rights, contact email@example.com or write to the SUEZ Data Protection Officer (DPO) at Tour CB21, 16 place de l’Iris, 92040 La Défense Cedex, France, indicating your first and last name and address.
The right of access must not be used in such a way as to allow the individual exercising it to access personal data on other natural persons.
Individuals implicated by whistleblowing reports will not under any circumstances be allowed to obtain the identity of the whistleblower by asserting their right of access to their data.
For ethics reports, the right to correct one’s personal data (the right of rectification) must not be used in such a way as to allow information contained in a report or gathered during the resulting investigations to be retroactively modified. When the exercise of this right is permitted, the resulting corrections must not prevent the timeline of changes to important aspects of the investigation from being reconstructed. This right may only be exercised to correct factual inaccuracies affecting information in support of the evidence, and no information initially collected should be erased or replaced, even if it is inaccurate.
To exercise your rights, please include a copy of a valid ID, unless the information sent with your request allows us to identify you with certainty. To learn more about your rights, visit www.cnil.fr/fr/les-droits-pour-maitriser-vos-donnees-personnelles.
If you feel that the DPO’s response is unsatisfactory, you can lodge a complaint with France’s National Data Protection Authority, the CNIL, either by writing to Commission Nationale Informatique et Libertés, 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France, or online at https://www.cnil.fr/.
(1) Articles 6 et seq. of the Transparency, Anti-Corruption and Modernisation of the Economy Act 2016 (Law 2016-1691 of 9 December 2016, known as the “Sapin II Act”).
– Decree No. 2017-564 of 19 April 2017 on the Procedures for Receiving Disclosures from Whistleblowers within Public Corporations, Private Entities, and National Government Entities.
(2) Article 17, point II, sub-point 2 of the Sapin II Act and the French Anti-Corruption Agency’s recommendations pursuant to Article 3.2 of the Sapin II Act (the fight against corruption and influence peddling).
(3) Duty of Care of Parent Companies and Instructing Companies Act 2017 (Law 2017-399 of 27 March 2017)
(Amended January 9th, 2020)