Processing and protection policy of your personal data

1. Preamble

Angibaud, Derôme & Spécialités (hereafter “Angibaud”) through its parent company SEDE Environnement, within the Veolia group, makes strong commitments in favor of the protection of personal data. This Personal Data Protection Policy aims to inform any natural person concerned (employees or candidates, customers, suppliers or partners and their employees) of the measures thus implemented when the company Angibaud collects personal data in the exercise of its activities. It is likely to change as needed, due to the legal context, in France or within the European Union, as well as recommendations or decisions of the CNIL.

2. Data collected, purposes of processing and role of the DPO

Angibaud applies the group’s policy in this area and has set up an organization to ensure compliance with this Policy, under the control of the Compliance Director of the Veolia group (“group CCO”).

In addition, Angibaud takes measures to make its employees aware of the need to protect personal data so that collection or processing takes place only if it is necessary for the purposes envisaged and if these purposes are defined to guarantee their lawful, determined, explicit and legitimate nature.

The processing carried out by Angibaud and containing personal data is the subject of a complete description sheet, included in the “processing register” kept by the Data Protection Officer (DPO).

The DPO thus ensures that the collection of personal data and its processing comply with :

  • Regulation (EU) 2016/679 of the Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (RGPD) and
  • the law of law n ° 78-17 of January 6, 1978 relating to data processing, files and freedoms amended (I&L Law).

3. Golden rules

Angibaud ensures compliance with the following six golden rules for each person required to collect and process personal data :

  • complies with the GDPR by ensuring that personal data is collected, used and shared with respect for the rights of data subjects and the concept of “privacy by design” for data protection from the design stage of processing;
  • be transparent and clear with the data subjects on the purposes of the planned processing, on the reason and methods of its implementation as well as on the recipients with whom this data may be shared; seek the consent of the natural persons concerned whenever possible and only act without their consent in the cases provided for by the GDPR or the law or when their prior consultation is impossible or presents a particular risk;
  • seek advice when in doubt about how to handle personal data, interact with other specialists, seek legal advice or seek the advice of the competent regulatory authority and keep a record of its decisions;
  • take the decision to collect, use or share personal data taking into account the interest of the natural person to process only the data necessary, relevant, adequate, proportionate, fair, timely and secure, for a limited period of time treatment needs;
  • ensure that personal data is only shared with those to whom access is necessary to provide the expected service and achieve the purpose of the processing;
  • ensures that security measures commensurate with the risks have been taken to preserve the availability, confidentiality and integrity of processing.

4. Information of the natural persons concerned

In accordance with the GDPR, Angibaud endeavors to inform the natural persons concerned of the rights guaranteed to them by advising them :

  • of the identity of the data controller;
  • the purpose of the processing;
  • the mandatory or optional nature of the responses and the possible consequences of a failure to respond;
  • the recipients of the data;
  • their right to access, query, modify and rectify information concerning them, their right to object for legitimate reasons, their right to oppose their personal data being used at for commercial prospecting purposes as well as their right to define instructions regarding the processing of their personal data after their death;
  • the retention period for the categories of data processed.

5. Data recipient

Angibaud may share the personal data collected with people in the Veolia group or with its service providers or with its suppliers, only to the extent necessary to perform the tasks entrusted to them. Angibaud ensures that its service providers and partners act in accordance with the applicable laws and regulations on the protection of personal data, but also that they pay particular attention to the confidentiality of this data.

6. Data retention

The processing of personal data collected by Angibaud or on its behalf is kept by Angibaud or by its service providers, in particular on cloud storage platforms. For reasons mainly technical or related to the international dimension of Angibaud within the group, certain data may thus be stored or accessed outside the European Union or the European Economic Area (EEA). In this case, Angibaud ensures that measures are put in place to ensure a level of protection of personal data compatible with the requirements of the GDPR, in particular by rigorous and appropriate physical, technical, organizational and procedural measures to ensure the availability, confidentiality and integrity of personal data by modulating them according to the nature and sensitivity of the data concerned. Angibaud strives to limit the retention period of personal data for the time necessary for the operations for which it was collected and processed, in compliance with applicable regulations. Personal data is then irreversibly deleted or anonymized.

7. Security and alerts

Angibaud takes measures to ensure that the security of the personal data it processes is appropriate according to the sensitivity of this data and the risks attached to it. To this end, the IT teams concerned or their subcontractors implement the requirements of Veolia’s cybersecurity policy and in particular those relating to :

  • the identification of cyber risks,
  • the implementation of suitable network protections, via filtering devices,
  • maintaining the various components of the infrastructure and applications in a safe condition, in particular the application of security updates and the upgrading of components to avoid the use of non-maintenance components,
  • the hardening of infrastructure components such as servers or workstations,
  • regular checking of infrastructure or application vulnerabilities through monitoring and the use of technical or application vulnerability scanners,
  • encryption of data at rest when needed and in transit,
  • the use of good security practices during the development of applications, in particular for web-type applications, the use of the OWASP repository,
  • the allocation of user rights respecting the rule of least privilege and the right to know,
  • access protection by implementing strong authentication mechanisms, by using SSO (Single Sign On) based on the Veolia group’s digital identity repository and by regularly reviewing accounts,
  • overseeing the security of personal data and the applications accessing it, in particular through centralization and use of logs,
  • the conservation of elements proving the implementation of the above measures. In the event of a breach of the personal data it holds, Angibaud (SEDE group) is required to react without delay as soon as it becomes aware of the event in order, on the one hand, to inform the CNIL and if there is takes place, the people concerned and on the other hand, identify the failures and put in place appropriate security measures.

8. Rights of individuals

In accordance with the French data protection law – aligned with the GDPR – of June 20, 2018, natural persons whose personal data is collected have a right of access, modification, if necessary. portability as well as a right to be forgotten concerning the personal data which concerns him.

They also have a right to oppose the processing of their personal data for legitimate reasons and the right to define general and specific guidelines concerning the fate of their data after their death.

To exercise these rights, each person concerned by processing containing personal data may contact in writing the person in charge of processing within Angibaud whose identity was brought to their attention during the collection or to his DPO by sending an email to the address dpo@sede.fr.

9. Contact

For any request for information concerning our data protection policy, you can send a letter to the DPO of SEDE (dpo@sede.fr).

In general, you can always contact the CNIL (https://www.cnil.fr or at 3, Place de Fontenoy, 75007 Paris).

10. Cookies