The purpose for which the data is processed is, depending on the nature of the message, specified in the contact form:
The categories of personal data directly and indirectly collected by the SUEZ Ethics and Compliance Department are strictly necessary to verify the accuracy of the reported allegations, and can include the following, depending on the context:
When submitting the report:
Information furnished by whistleblowers in their reports must remain factual and must be directly related to the subject of the report. In accordance with the principle of data minimisation, whistleblowers must limit the transmission of personal data to what is strictly necessary, in order to safeguard the rights of individuals potentially concerned by the report.
Upon receipt of the report and during the investigation:
The specific case of sensitive data and data on criminal offences:
Special categories of personal data (“sensitive data”) may be processed, as provided for in Article 9, Paragraph 2 (f) of the GDPR, when such processing is necessary for the establishment, exercise, or defence of legal claims.
The data collected and processed within the context of the professional whistleblowing programme may also include data on criminal offences, convictions, and security measures concerning natural persons. This data must be collected and processed exclusively in accordance with the provisions of Article 10 of the GDPR and Article 46 of the French Data Protection Act.
The data collected is exclusively sent to individuals authorised to access it within the scope of their official duties (Sustainable Development, Human Resources, Environmental and Industrial Risks for issues related to the duty of vigilance, or the Ethics and Compliance Director specially tasked with handling whistleblowing reports and the Group Ethics Officer for all ethics-related issues), as well as to individuals they select or individuals with internal authorisation (e.g. local ethics officers or, where applicable, the Legal Department), in order to allow them to assist with the investigation following receipt of the report. The Internal Audit Department can also be tasked with conducting additional investigations at the request of SUEZ. In limited cases requiring the intervention of outside service providers, the data may be sent to individuals bound by a contract with SUEZ (or with the relevant SUEZ entities) setting out their obligations under the GDPR.
Some laws and regulations strictly limit the disclosure of information (particularly information allowing a whistleblower or the individuals implicated by a report to be identified following an investigation into the report’s legitimacy), with the exception of disclosure to judicial authorities. If we find it necessary to disclose such information, prior written consent will be obtained from the individual in question via a specific form.
The personal data collected will be stored for as long as is required to process the report.
If the report falls within the scope of the Group’s legal or regulatory obligations (cases (1) to (3) described above) but does not result in disciplinary or legal proceedings or in any change in internal rules, the personal data in the report will be destroyed or archived in anonymous form no later than two months after the end of the investigation.
If disciplinary or legal proceedings are initiated against one or more individuals implicated by the report or against a whistleblower who has submitted an abusive report, the personal data pertaining to the whistleblower’s report will be stored by SUEZ or the relevant SUEZ entities until the proceedings have reached an end. This data will then be archived in anonymous form or destroyed no later than two months after the proceedings have reached an end.
If any action is taken as a result of the report, SUEZ may store the data collected in its intermediate archives for the time needed to ensure that the whistleblower is protected or to allow ongoing wrongdoing to be observed.
The data may be stored in intermediate archives for a longer period if SUEZ or its entities are legally required to do so (for instance, to comply with corporate accounting, social security, or tax obligations) or if they wish to preserve evidence in support of future legal action; in the latter case, the data may be stored up to the maximum limitation period for claims.
In other cases (see case (4) above), the data collected is immediately destroyed or anonymised.
Under applicable data protection regulations, you have a right to access, correct, delete (except in cases (1) to (3) as described above), oppose (except in cases (1) to (3) as described above), and restrict the processing of your personal data. To exercise these rights, contact firstname.lastname@example.org or write to the SUEZ Data Protection Officer (DPO) at Tour CB21, 16 place de l’Iris, 92040 La Défense Cedex, France, indicating your first and last name and address.
The right of access must not be used in such a way as to allow the individual exercising it to access personal data on other natural persons.
Individuals implicated by whistleblowing reports will not under any circumstances be allowed to obtain the identity of the whistleblower by asserting their right of access to their data.
For ethics reports, the right to correct one’s personal data (the right of rectification) must not be used in such a way as to allow information contained in a report or gathered during the resulting investigations to be retroactively modified. When the exercise of this right is permitted, the resulting corrections must not prevent the timeline of changes to important aspects of the investigation from being reconstructed. This right may only be exercised to correct factual inaccuracies affecting information in support of the evidence, and no information initially collected should be erased or replaced, even if it is inaccurate.
To exercise your rights, please include a copy of a valid ID, unless the information sent with your request allows us to identify you with certainty. To learn more about your rights, visit www.cnil.fr/fr/les-droits-pour-maitriser-vos-donnees-personnelles.
If you feel that the DPO’s response is unsatisfactory, you can lodge a complaint with France’s National Data Protection Authority, the CNIL, either by writing to Commission Nationale Informatique et Libertés, 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France, or online at https://www.cnil.fr/.
(1) Articles 6 et seq. of the Transparency, Anti-Corruption and Modernisation of the Economy Act 2016 (Law 2016-1691 of 9 December 2016, known as the “Sapin II Act”).
– Decree No. 2017-564 of 19 April 2017 on the Procedures for Receiving Disclosures from Whistleblowers within Public Corporations, Private Entities, and National Government Entities.
(2) Article 17, point II, sub-point 2 of the Sapin II Act and the French Anti-Corruption Agency’s recommendations pursuant to Article 3.2 of the Sapin II Act (the fight against corruption and influence peddling).
(3) Duty of Care of Parent Companies and Instructing Companies Act 2017 (Law 2017-399 of 27 March 2017)
(Amended January 9th, 2020)
When you browse our site, data may be saved or read from your browser or device. Certain technical cookies are necessary to ensure the site works correctly. These are used for areas such as security, ergonomics and language choice, and are therefore always active. They do not contain any personal data. You can deactivate them using your browser's cookie settings.
Only the "SC_ANALYTICS_GLOBAL_COOKIE" may store personal details (your IP address). SUEZ uses this cookie to analyse your browsing and measure the website's audience. The button below allows you to deactivate or reactivate this cookie at any time.